63535e9bc79c60350d0e45dafe5a1417e895aec6c0b8f8252cbb6e495e0e873b

Analysis

max time kernel
139s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe
Size

250KB
MD5

c62299f8a96dd413bd7c4f1182022d00
SHA1

db9c6e3e564fbc723d187df2cdc7522e67e9334e
SHA256

63535e9bc79c60350d0e45dafe5a1417e895aec6c0b8f8252cbb6e495e0e873b
SHA512

ac914895cd39f400c14577f3cbfd49e6355077b5683a2feb02f54b080f1c915c1389f0ab5186868c1b2b4b15aa07ac0e681d6a3d37c2350c2d2c7f78844f9bc4
SSDEEP

6144:7EDnQLkbvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:7GnQLt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe

Executes dropped EXE 64 IoCs

pid	Process
5064	Eqciba32.exe
4992	Efpajh32.exe
2120	Emjjgbjp.exe
4440	Eoifcnid.exe
632	Ffbnph32.exe
3036	Fhajlc32.exe
2208	Fqhbmqqg.exe
1872	Fbioei32.exe
3140	Fjqgff32.exe
2216	Fcikolnh.exe
2496	Fifdgblo.exe
4936	Fopldmcl.exe
5024	Ffjdqg32.exe
4524	Fobiilai.exe
2376	Fflaff32.exe
3460	Fmficqpc.exe
3276	Gcpapkgp.exe
5072	Gfnnlffc.exe
376	Gmhfhp32.exe
4924	Gcbnejem.exe
4724	Giofnacd.exe
2000	Goiojk32.exe
1960	Gjocgdkg.exe
3428	Gmmocpjk.exe
2368	Gbjhlfhb.exe
232	Gjapmdid.exe
4760	Gmoliohh.exe
4748	Gcidfi32.exe
4512	Gifmnpnl.exe
1692	Gppekj32.exe
1340	Hjfihc32.exe
3104	Hpbaqj32.exe
840	Hfljmdjc.exe
2808	Hikfip32.exe
2312	Habnjm32.exe
2676	Hcqjfh32.exe
3980	Hjjbcbqj.exe
2372	Hmioonpn.exe
3168	Hpgkkioa.exe
4328	Hbeghene.exe
3836	Hjmoibog.exe
3240	Hmklen32.exe
1148	Hpihai32.exe
2196	Hbhdmd32.exe
3320	Hibljoco.exe
4456	Haidklda.exe
3984	Icgqggce.exe
740	Iffmccbi.exe
1868	Iidipnal.exe
2316	Impepm32.exe
1632	Ipnalhii.exe
868	Ibmmhdhm.exe
2144	Iiffen32.exe
1560	Imbaemhc.exe
212	Ipqnahgf.exe
3112	Ifjfnb32.exe
3448	Imdnklfp.exe
1580	Idofhfmm.exe
1972	Ibagcc32.exe
4612	Imgkql32.exe
3920	Ipegmg32.exe
4020	Ifopiajn.exe
4480	Iinlemia.exe
440	Jaedgjjd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6276	7164	WerFault.exe	252

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 5064	4520	c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe	82
PID 4520 wrote to memory of 5064	4520	c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe	82
PID 4520 wrote to memory of 5064	4520	c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe	82
PID 5064 wrote to memory of 4992	5064	Eqciba32.exe	83
PID 5064 wrote to memory of 4992	5064	Eqciba32.exe	83
PID 5064 wrote to memory of 4992	5064	Eqciba32.exe	83
PID 4992 wrote to memory of 2120	4992	Efpajh32.exe	84
PID 4992 wrote to memory of 2120	4992	Efpajh32.exe	84
PID 4992 wrote to memory of 2120	4992	Efpajh32.exe	84
PID 2120 wrote to memory of 4440	2120	Emjjgbjp.exe	85
PID 2120 wrote to memory of 4440	2120	Emjjgbjp.exe	85
PID 2120 wrote to memory of 4440	2120	Emjjgbjp.exe	85
PID 4440 wrote to memory of 632	4440	Eoifcnid.exe	87
PID 4440 wrote to memory of 632	4440	Eoifcnid.exe	87
PID 4440 wrote to memory of 632	4440	Eoifcnid.exe	87
PID 632 wrote to memory of 3036	632	Ffbnph32.exe	88
PID 632 wrote to memory of 3036	632	Ffbnph32.exe	88
PID 632 wrote to memory of 3036	632	Ffbnph32.exe	88
PID 3036 wrote to memory of 2208	3036	Fhajlc32.exe	89
PID 3036 wrote to memory of 2208	3036	Fhajlc32.exe	89
PID 3036 wrote to memory of 2208	3036	Fhajlc32.exe	89
PID 2208 wrote to memory of 1872	2208	Fqhbmqqg.exe	90
PID 2208 wrote to memory of 1872	2208	Fqhbmqqg.exe	90
PID 2208 wrote to memory of 1872	2208	Fqhbmqqg.exe	90
PID 1872 wrote to memory of 3140	1872	Fbioei32.exe	92
PID 1872 wrote to memory of 3140	1872	Fbioei32.exe	92
PID 1872 wrote to memory of 3140	1872	Fbioei32.exe	92
PID 3140 wrote to memory of 2216	3140	Fjqgff32.exe	93
PID 3140 wrote to memory of 2216	3140	Fjqgff32.exe	93
PID 3140 wrote to memory of 2216	3140	Fjqgff32.exe	93
PID 2216 wrote to memory of 2496	2216	Fcikolnh.exe	94
PID 2216 wrote to memory of 2496	2216	Fcikolnh.exe	94
PID 2216 wrote to memory of 2496	2216	Fcikolnh.exe	94
PID 2496 wrote to memory of 4936	2496	Fifdgblo.exe	95
PID 2496 wrote to memory of 4936	2496	Fifdgblo.exe	95
PID 2496 wrote to memory of 4936	2496	Fifdgblo.exe	95
PID 4936 wrote to memory of 5024	4936	Fopldmcl.exe	96
PID 4936 wrote to memory of 5024	4936	Fopldmcl.exe	96
PID 4936 wrote to memory of 5024	4936	Fopldmcl.exe	96
PID 5024 wrote to memory of 4524	5024	Ffjdqg32.exe	97
PID 5024 wrote to memory of 4524	5024	Ffjdqg32.exe	97
PID 5024 wrote to memory of 4524	5024	Ffjdqg32.exe	97
PID 4524 wrote to memory of 2376	4524	Fobiilai.exe	98
PID 4524 wrote to memory of 2376	4524	Fobiilai.exe	98
PID 4524 wrote to memory of 2376	4524	Fobiilai.exe	98
PID 2376 wrote to memory of 3460	2376	Fflaff32.exe	99
PID 2376 wrote to memory of 3460	2376	Fflaff32.exe	99
PID 2376 wrote to memory of 3460	2376	Fflaff32.exe	99
PID 3460 wrote to memory of 3276	3460	Fmficqpc.exe	100
PID 3460 wrote to memory of 3276	3460	Fmficqpc.exe	100
PID 3460 wrote to memory of 3276	3460	Fmficqpc.exe	100
PID 3276 wrote to memory of 5072	3276	Gcpapkgp.exe	101
PID 3276 wrote to memory of 5072	3276	Gcpapkgp.exe	101
PID 3276 wrote to memory of 5072	3276	Gcpapkgp.exe	101
PID 5072 wrote to memory of 376	5072	Gfnnlffc.exe	103
PID 5072 wrote to memory of 376	5072	Gfnnlffc.exe	103
PID 5072 wrote to memory of 376	5072	Gfnnlffc.exe	103
PID 376 wrote to memory of 4924	376	Gmhfhp32.exe	104
PID 376 wrote to memory of 4924	376	Gmhfhp32.exe	104
PID 376 wrote to memory of 4924	376	Gmhfhp32.exe	104
PID 4924 wrote to memory of 4724	4924	Gcbnejem.exe	105
PID 4924 wrote to memory of 4724	4924	Gcbnejem.exe	105
PID 4924 wrote to memory of 4724	4924	Gcbnejem.exe	105
PID 4724 wrote to memory of 2000	4724	Giofnacd.exe	106

C:\Users\Admin\AppData\Local\Temp\c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c62299f8a96dd413bd7c4f1182022d00_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\Eqciba32.exe
  C:\Windows\system32\Eqciba32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\Efpajh32.exe
    C:\Windows\system32\Efpajh32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\Emjjgbjp.exe
      C:\Windows\system32\Emjjgbjp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        24⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        26⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        31⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        36⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        37⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        41⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        51⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        53⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        60⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        61⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        62⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        64⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        66⤵
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        68⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        71⤵
        
        PID:520
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2176
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        74⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        75⤵
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        77⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        78⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        80⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        81⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        82⤵
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        85⤵
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        86⤵
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        87⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        90⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        92⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        93⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        98⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        100⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        101⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        102⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        103⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        105⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        109⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        110⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        111⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        112⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        115⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        118⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        120⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        122⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        125⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        126⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        129⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        130⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        131⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        135⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        136⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        138⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        139⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        142⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        143⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        144⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        146⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        149⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        151⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        153⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        156⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        157⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        159⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        161⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        162⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        163⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        164⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 408
        165⤵
        Program crash
        
        PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7164 -ip 7164
1⤵
PID:6228

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5504

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efpajh32.exe

Filesize
250KB

MD5
420a9865153e8a93a070286d0a7f70fc

SHA1
2e265384b4844aaddc02f8bc1242974a4924c3be

SHA256
a0033a9b5cb2cbcb9254f80cbdae9324ddeb430e91ea35785b9f7b3903971759

SHA512
2c4515f4983ea1ddad01fe3c41ed5208e71374a3da5cb42398ad7d0ce2ee8a0fcdf16e7fb67d12857c6da32cbfbb3bcef8b4ee680273f37cf3ef9f1cf289b86f

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
250KB

MD5
fb0540e8b207ae240b4400cddbdf1e01

SHA1
8f9c5089af862a1b1232f64fccd6d9e754f9a5b4

SHA256
44579ee043a31fa9132e5279342b03a2668ee8522e8e179dfc8385cf72b85448

SHA512
64848e6e29c644477575fb1ea113e576edbbd6073128e035fe5cfb0abb4bf42f27c82b65ce19148855e2cc16adf670eb08f47a4b1c93e800a02d3d8a53c0c9b1

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
250KB

MD5
8e06e2ce904cb7942bb0d6800372de9a

SHA1
02f1949f2d4385745ddbaeca144da391a4ac849a

SHA256
c44523a783358e95d0f83437d327032dcb1f6ee8d1cafc72807ea4a79cbd15e2

SHA512
e3c78f409161d1771deb67cdd23351ebf1c4d512b194120b1014d464280372f9d1e959418367c2950dc7d808155777fdc8fd10cc708da479c49fa99ab3222f03

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
250KB

MD5
27989739c24b4b7c2345b0e0425324da

SHA1
dd3f21bd0e3fe5cdbc37601050e5817b2777a3b0

SHA256
8b1406902cb82f0fe34d191d198dbc9b5126affee2eb92e395759207e2495c6b

SHA512
037ad2f7c77e77f24e098652f63aded743525df1e7b8ee4e58762212ca633b124241cf39839c889a9928dd86afe403e1b4bbb2158193659044940da48c6c0e40

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
250KB

MD5
6e1f1470d223ebb7c93e01ccb4c24152

SHA1
611f15f578eaf9c5b5718c830cb300398431a5b2

SHA256
cf34236650245c6cfa94ff1cd5dd28e0ad1563615e8d654b2f6c53925e38fa91

SHA512
4de51a6deb95b75dc45a6bcc6a5f8f9db6d0d7e6648fcd0262da2ac9bd8dd6b8bb1fa3ad4473acc36e435965cbb9b0a19cf6d82773729e11f006d9b3e144bcb9

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
250KB

MD5
5ac6715e5e0ea103578c75a8aaaf6bc2

SHA1
116133ca6a183bd5def10e28fe1565a5a760cf3d

SHA256
a951eed77e568b3dc31e3204af77798e6092bf1e3f2568e2ace8dc2750c8f9a2

SHA512
b9f76755ebfdc574919d3f4279f58fd1550f8ce56f61a2ce53dbfe4ce2becc1b0d27d86fb6d19d53a3c681fe2c9e78f012e1e662e45cd8e278421028c630c2a9

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
250KB

MD5
8a0936ae65d4ae015a8deff3f2c9af8f

SHA1
ab03fe4d1a5b1767718968257fb0366cb80ef852

SHA256
5681eae4ff7fd2ee225919803b8163912c2ad5961f0aa82ac59ac4013e7395b8

SHA512
748008feef029f1a3f593614b063c7fe583e84b17e90dcf8e2bd988778962db69393dd38f5a84be01fd5f6baa26f47dc64ed6c0b438517e94c95e6cbbe790e94

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
250KB

MD5
edf9befdf305e1214b88110ad86f2aad

SHA1
cf177dc6fd16e2fcc2586e2b1d10713a46577b10

SHA256
a6a48bf45d77d92a192dee9218b18ab48ca35e38e5c7f93c316be49816ac48c2

SHA512
3e89ae1f398c9461a40d162bd580afdd848a3604b630681469d89899b1f4d2921fec0a985601251bd22ee1b7810baaf08bce16938c3156844b6e59c27cd631de

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
250KB

MD5
e68740722af7fc5db0a4ebed413f6bf1

SHA1
63767d4bed47c3ea1901cf496be8879de411985d

SHA256
9af172a2b541e30c389aa7c4f880bc62285c8b0bb444dcf2d43f7f5e76e17de4

SHA512
6f3f6c15ac902aa23a4817908eeccd7b8cf6ae7a2da25c2bbb3bf8a0e34f270d72d0101f01e06d385dcf0de6dbffc1bef713f7e3f1d26ced0bbe033552e225b6

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
250KB

MD5
597ef73c278a68723c3250ca32423f62

SHA1
81af3756032b002d8768bceea80503c0d3d6d16d

SHA256
66a04331b90934776f21603ddb6ba4c47064430144973a62f6b14d5bf8fad7e1

SHA512
ac55cab54ab1fefd74483495b191f9601ce5f225098dd6e7d1a3084de07f80477c5f09c0712e025f3bd5e816e088bbd02308a965e97195083705042fa31f0709

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
250KB

MD5
5af00d008629494aa0536ea026172817

SHA1
72809dc7fed8ca26fc7ae4826c49c1b400615bfd

SHA256
9849534d197c0050e687bb81209e35ba6f905df08a1c7b4c3fa2f85678edc34c

SHA512
7e274d598aff895115f971ad22ef6a1fc34fb2bd6e93cdf4a562206f9aa48352e8dbb4f018ed5e82dcb617b7c3d5131b43bcd2e6e4c296c944bf6e89d5f61920

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
250KB

MD5
26d48b4e5c37a45ee5f12129dce3a002

SHA1
433b80f636d519fcff9a2bbeb77bc0e7b88c509f

SHA256
cd08698018f6b36ba952f71f2e2c9e3eb6c93f9ffc31d1ab647cd99c3fa8089a

SHA512
b35274276f7b9fb839845988f16031b8d4e60fd5e835bd35f69262c19a2d4bdbfa8392386b2bac08cdc6313b28d73ac825d3d672cb23e9b4893761d8d4947255

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
250KB

MD5
4d05b47f318a94713b41defc1dd342b3

SHA1
aebbfeb16ab2c0f9d1d31f2e48d825f511a29eef

SHA256
b8529e7136c59c178f27b92278c04d5d2428d959d183918bd15c0d95f8037d88

SHA512
6dea541062fc77588f20521cc9225a52809946938719400c4acc494365528ff4bfb55d646c79f416cf14d7435d5ac142b9ae1edf65e12cd73c7825bd4955fcea

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
250KB

MD5
3903271c14b97852e7f193ba7ebc28b3

SHA1
7307ed3f77fe6a585e96e071be2003738aec998d

SHA256
f05d58d07d9075e935010d036c20fefd477d06ca367f7720a34436c8d58500e2

SHA512
d7aec65b78597c52071c7eca329590b5f25f922b1973288fe30ccf92aad87383f0c914000afff13e417d9db0b8d157ea2f4ade3a1595502f36bfb289469f9a08

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
250KB

MD5
7bf7a210c982fc8e4c465854ff3aff83

SHA1
377f89c206edf92dc12e3c334dc4b93fc4754c83

SHA256
6c16c999a110f8ee07d9c7b6b047129d840db8f7618bf0867b8281b9a737d79a

SHA512
0ec58ff4577eafe619133ddae0641b43f4cdbaa340706f2cad3d7f40b9bf2478b1e134e80d19140baa851886590d0c99e1afb454666609d549dd1411dc154ce9

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
250KB

MD5
3413b5f04880cc9b653d6adb310da736

SHA1
1d2e9798031cb53f2bfe237cd9c0d88b2f288df5

SHA256
5b8e87f1f97d63e88df65df2606d9f0ad78b83f1a6ca1d508f6b33155b50e015

SHA512
f8f251dbdc1304a8df31436252301973cb5bf0b2ac9087e277252509b215138d62d4f392678b9ebd420eeba7706f943b1ac6eef74ff3585f0e324ac23f4ab481

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
250KB

MD5
d685cebad54d2376c36f9ab3cf3e2d62

SHA1
87858af5fac508cf1182060567a5744487c860e5

SHA256
d21fbc299929c5caf468fd6a0bb815a269a7426e49ac818fa045de783f5c9791

SHA512
bde78e43c5d508837f1493334021023ac74562ff660a7496cdef7e1b011530c1aeb0d78b77ac8e44550bff4b46c9f2141f6a83f150d86ad95fd88066ab823056

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
250KB

MD5
5080773c5c4a57e87e8f941c734c0bc4

SHA1
0d675c3451c92a490a0c884ef6960e8a92203c15

SHA256
cbec74bfda9871720abf67de26b3a2fa38344ace3d11c4d02819969db8d31d52

SHA512
c6fa952de4e182b911c17b14a42f5a4866da597b8be9c8fd4ce0fde5f678f2a5d863edf404feb22be4cb7b181f20b045acfe8a72665488844a0c057eb5d7fb09

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
250KB

MD5
c290b9a55705fb03b0a29916fceea459

SHA1
d6d0a4ecaf75e4ad1f5812926d99181273dcf9e4

SHA256
e24eea20d4b3f22ddfdf611e8164ee26ec34d7a986a8ead2aab5dfd2b90c1abe

SHA512
d096781e1121546722e1e06f78be75f55b4a321ce8460087d29ff783763b016ea7bde61ee4329d2f970723123fc4ffae4881a56aa971089b9fd3ff22d6d6705e

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
250KB

MD5
68c59b41d9d3205c3ae94c1b7be8fad4

SHA1
1c2b6dadac450e182fa035feb137028d2001f582

SHA256
ef753c536019e0edbdc40f4af060373526cd6d672641495938d4008dce810e57

SHA512
0a18d1cbf789fbdf632880d994148bb2a14812cacd3b13a84cb7012542314d5b51ebb9a894ff4e8badf2d16bb5ebbffdd3d909452e64cf0a554ea981f5757b4c

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
250KB

MD5
83ec37614168fe8f35c564b0fcf2e5b6

SHA1
53f624be60689cacc8e2b6dc1fa1e647cdf9e143

SHA256
b95c58609e08301888adecf83e1e6d2beb66abd0ca1e11de6507eb14ac2fcba6

SHA512
d386c2437c3acf2720f85b2a330a19ab4ad136291b1543012a3c9d5e9a6ddec0a8690fa546cd495688d7463f05fd3f374ecb434082e8c6a46bc844a9ac793801

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
250KB

MD5
69a6513c5a450b8cc094504f2e2d3581

SHA1
607d72b4796e71f0fea5f68b957df6604932802e

SHA256
1bd6cfb1dba2a080552ade43a9e7347baa0d4cc7493ce7b1c0544cff1b04586b

SHA512
7e4c95297cbf06bb442c81f95e34e284e3f0d1806a2b21a2b7cd23a2bace25cdc0ab701e59a12a22ecd7a6e4074abb9687af288a5b29a6c68e5c568260e5243e

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
250KB

MD5
d320121c6acd6b7504ec318efe7abab8

SHA1
f6d9575ec63a5075cfa68e8cfabe84e825f488f1

SHA256
08b1bdfc332394dd90fb23970f456c7e3b5bfba0bcff277ebcc3de77174211e3

SHA512
449d4522ce9b1d834f3c6f669e441956b2a6abdc3e00dcd42af663e9aa50f0dc78515f6c9cb90de7fa6cbb463abeec0740df7fd1fd134df9e0b23649d4c7d19d

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
250KB

MD5
96e69b2450a1c50ae009d24e569a9af7

SHA1
852680a050034fc7468638745513440bc0fa9f94

SHA256
75eff34c4fc184eb5fbedbf299c9a7a06a4d59beb82a1b647fbfbb79a1e3e033

SHA512
a4f7161f1804f25b7b0ca571d9c13c7213be1a2b66137fe00b828a96d554530ee4e1480bf2b38ec3160d02afd79b6e3be463c66a6aa8a1d3541cf7e1de7ffab9

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
250KB

MD5
39336cf8bd6d3e77bef4e47980bbdff4

SHA1
2b8af418e96332ad4511eeb18f0377b2635809d5

SHA256
98909de961262bf570bd7c2d1c03f30145dbe0564d5db947b3e1be7dc706ab26

SHA512
6daaaa431d1c59b14d6863162d08ea0585c8e979ce2ab239ae056baeca15ea0f3ffa550d1481c96f2f1454f7199c411fd05817320236bff8772acb7ca6802dfa

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
250KB

MD5
c9f95a16ce282e209d70fc8599c89f8b

SHA1
358ce2d782297aaa6c058c5c6a8da3fae26b33b3

SHA256
8256f334cb8b70334e47f67fae554a51cb2d3c4a2488c2a708787131d9f859bb

SHA512
6f7b54df8c5688411aa6a44c98208980c6a86a40d26a66761481f5c02cf47d5b5bc4936756f329e0ee9307dc2d3b9561299d62325b1e9e67d84eddd595fc307e

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
250KB

MD5
df239514d0f223acb95973cc07578fb0

SHA1
c8de7b93bf4d6084aa4d019da672b6a06f8d45e1

SHA256
13e2e2e0ed6089bda044f26396c306bd12396fe7d481acb4fc21ca8b3bc5b32d

SHA512
bcd77e200479fdb5b2a7b38cd5a410bc2261752862552109531cc8c555f1a44248080269fb122d4e457b799e02dac45181db78c556439d901817d0427b1d26c7

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
250KB

MD5
cfb7215fb25f6c2f268d6ffa0ef019da

SHA1
d9c5af7be21e9c299ba3e3134fb26c95115a9092

SHA256
c3820434b557d41f4b4a759816d30e2e59ecb097528ead112efe0914604c2712

SHA512
551144655e97a30f2e356d53b6d4eed02fc2e2a6acce0536f424ab2c058881240d40276ed85812107d3767e08a73ccf80b68f7e3dac9b74fb046ef552e2cbb33

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
250KB

MD5
84d9d598c3927bfe286b8260937dd5b7

SHA1
803144b6647187cbec6774b3acbd4255efd970bb

SHA256
bb5f3a88ce38528ce1fcd394bd377af96ecfbf8939c1e710faf2824f2e93351a

SHA512
ca7aff7d73e5cc1befc771ccbe8ee2f682afdec10e46e434cc9d425b56b3d9fcef51dbd6a9652d539bfb10ca327c8a25cde52b231601f5ed836e937600507376

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
250KB

MD5
48f63ce6a7e7682297f2409068330411

SHA1
f826cca5d78d7b6da70fe3baaf2fdf530a740dc1

SHA256
b2ce0a4dcb6cd55621d9d60e9f6fbb95e630a7afe4de7de400be0c80ab3bdbf7

SHA512
eaaf3a300a7d1de72a1c10900fbff6f746ff66a10077e94f3da865561822742f35064c6acb69ae63a8cee6e5812df38b060e4c69f2c2a1e31cd0fe109d91f5de

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
250KB

MD5
2b0f9e3df5c2bd82571275c3eacd5704

SHA1
b42e3ba8af6de5a33ce171799de53d72b978f4a0

SHA256
35a37a97514f3b0e290debbbdfbf25e74cd42ceaee2d98a244a220f9d87f7853

SHA512
1ca618c32927f24b81272babc1cd72b6cf32aae870638f9d4d5d4eea18708474f5c635c344fc96eaaa9dcf0aa04bbc178d0c29cd119fa4dc1050091d4d128023

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
250KB

MD5
92ac58428bda1d14efcac6d1345e3fb7

SHA1
6d4a987377aa49d3717b9e57c42582ef16bdc60d

SHA256
f1f89d06f6326947d5ef1693536e7438b5f2445d3c45313b5bcf878f9cfd5a56

SHA512
1d1f985c357ec838a902c0041506fe52800a7d54bc4b7c64b2aeffa6e2c78ec29764010ced1fdb748d070aec82ea2ca6dc628d3ab26d599d6bbff28c924a4633

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
250KB

MD5
e841c4544bc6d233d1d8bb85571e2933

SHA1
97bba1eee66119d4286c6646bf8fd4badb91213e

SHA256
229715d68a57533d65d4cc74340326bcca059cb21209aadea8e966e10f8e1e04

SHA512
38a874904f24c1ecd2948e623762e81f1258971014576d05bc203e1a32f75245df942c8e7dc6e421f05381cf533af1d65f56dcaddd3ace2c4e0dbeba00f017c9

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
250KB

MD5
aeeb12b8980a46f21c0bb92257b9fc06

SHA1
ff023d07181c95ea9f15adf977f1f6fb7c2b4d86

SHA256
273e7c2749b7c125d912f7bd1b70a98161d7231a1e386aa76290e37b7b37516a

SHA512
147ce883978add96dda80a6d5bc52b69e7b91b593878a3dafa386598ed267a3fdc3d4179ffe54e66eca1bf2e4c2ee7d3ad903e1d519e33c2101a4c010ee03dd0

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
250KB

MD5
af0c51cd63b943fa5f1543f59079c021

SHA1
8de29f76093ab586a7945be44bc00248ef96681e

SHA256
d77f01ee54a0e24dabe3c8d677bd4bb38fa8bca2b44b1afcbc48145e991d9abe

SHA512
b9b19bf1992b02eae3b393c8d5e8ad3849f6068e9bbff2f25f2ee80efd59c6e1c03b77356a430b4dfea82320ad41791268b67747406bac499c0f463307b837c7

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
250KB

MD5
665bd4bd6fd1113abd551b14393f6b0b

SHA1
7f5839ac1dbd7230dda09dc10698a9d70e118ebd

SHA256
6f1931f774ae88dfb307a5771cb47884c14a1a64b390f8389d9fb9ea283114dc

SHA512
facf78ef6550f240d1c5fb25aee547c287080bb8d68a970ca28a397a31df776a596379a976d03a6e7e35c3b71d2e09d9f07516bbe11336d7f6e8cea136d3ca6f

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
250KB

MD5
a32edec5b9336dd0e744ba0d8de360f7

SHA1
c238fb33bd478bba0dfbb540988fcee00718fe8e

SHA256
c1d527411a2444cb0ed574a69526fd085879efcb5ecf7a18ec6cad0f37e288c0

SHA512
0e894505497b26db666bb81ecbdfb30123f4ed2b2dae6d7ecdcccc4764928909fd26496506ce9025c54ebe428d777261d62282e4f0b71b18350a35310ad7ddfa

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
250KB

MD5
e71fa11e31baccfcb051f2b67ab2e7ae

SHA1
2abb3a9cb7903a1b73c6153e162a66124773fb8c

SHA256
88d01bf42cf8365587e0b2fd8a8adcfbd7c929a0bb2caa040442ba4036549456

SHA512
adf2c16f4f96820ec0fcbc4d1e2115a5f0c643e508adb497d8614e7cde0af98e5da8144b5c570db2385df64d0b86dadc56a7c35206d26d435921e4878929c520

Download Submit
memory/60-508-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/212-387-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/232-207-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/376-151-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/376-654-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/440-441-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/520-474-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/632-565-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/632-44-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/688-451-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/840-261-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/840-1323-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1148-317-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1208-466-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1340-1326-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1340-244-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1560-381-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1580-404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1632-366-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1676-502-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1692-237-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1868-352-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1872-584-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1872-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1960-183-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1972-410-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2000-175-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2120-28-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2120-551-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2144-380-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2176-484-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2196-324-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2208-577-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2208-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2216-597-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2216-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2224-1229-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2224-533-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2312-271-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2316-358-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2368-199-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2372-291-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2376-120-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2376-632-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-88-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-603-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2808-269-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-567-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-52-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-445-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3104-253-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3140-591-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3140-76-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3168-294-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3240-311-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3276-645-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3320-330-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3352-559-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3428-191-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3448-398-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3460-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3460-634-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3920-426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3980-282-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3984-341-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4020-428-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4104-486-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4328-300-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4440-558-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4440-36-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4444-468-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4456-335-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4480-1263-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4512-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4520-531-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4520-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4524-112-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4524-621-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4612-416-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4652-1230-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4724-167-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4876-520-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4888-552-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4924-159-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4936-609-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4936-96-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4992-544-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4992-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5000-519-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5016-545-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5024-615-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5024-104-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5064-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5064-542-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5072-1353-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5072-142-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5072-647-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5172-578-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5216-585-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5252-1142-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5260-1211-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5468-622-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5552-635-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5640-648-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5780-1134-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5808-1150-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5876-1133-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5940-1179-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5972-1122-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6452-1095-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6496-1096-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6572-1090-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads