93c11653ad78f6172c161e610ebbe149cfd14b9a108bb091069bb3c335883678

Analysis

max time kernel
97s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96994440ed9bbe8f57526724e974bef0_NeikiAnalytics.exe
Size

79KB
MD5

96994440ed9bbe8f57526724e974bef0
SHA1

e43b41e9d6e8b5c9e8965e54cdbe911e9e509f01
SHA256

93c11653ad78f6172c161e610ebbe149cfd14b9a108bb091069bb3c335883678
SHA512

cdbb0b26e24c8c89dcb39030165624ba3415f49b1c3ecac27b206c4bbb35dc1034a8977eb7de87d6b51b687313907a4a5649d463691dab3486635b95215a4256
SSDEEP

1536:4w5EJTxlsefov7XYfgBXaTQZrI1jHJZrR:4QMTRovjYfQXaTQu1jHJ9R

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	96994440ed9bbe8f57526724e974bef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe

Executes dropped EXE 64 IoCs

pid	Process
1200	Epopgbia.exe
4812	Ecmlcmhe.exe
2768	Ehjdldfl.exe
4536	Eqalmafo.exe
2664	Ebbidj32.exe
1588	Ehlaaddj.exe
3104	Eqciba32.exe
732	Efpajh32.exe
3720	Emjjgbjp.exe
3852	Fbgbpihg.exe
3728	Fjnjqfij.exe
3812	Fqhbmqqg.exe
3464	Fcgoilpj.exe
3404	Fjqgff32.exe
3228	Fmocba32.exe
1100	Fbllkh32.exe
4580	Fjcclf32.exe
4772	Fqmlhpla.exe
1628	Fbnhphbp.exe
4396	Fmclmabe.exe
1360	Fobiilai.exe
3516	Fflaff32.exe
3084	Fjhmgeao.exe
4180	Fmficqpc.exe
2364	Gcpapkgp.exe
4444	Gjjjle32.exe
3928	Gogbdl32.exe
2060	Gbenqg32.exe
2024	Gmkbnp32.exe
1372	Goiojk32.exe
5060	Gfcgge32.exe
4432	Giacca32.exe
4332	Gpklpkio.exe
4636	Gbjhlfhb.exe
3664	Gfedle32.exe
1940	Gidphq32.exe
2668	Gqkhjn32.exe
2032	Gcidfi32.exe
2396	Gbldaffp.exe
5096	Gifmnpnl.exe
4708	Gppekj32.exe
2764	Hboagf32.exe
396	Hjfihc32.exe
3976	Hmdedo32.exe
3384	Hapaemll.exe
2532	Hcnnaikp.exe
3408	Hfljmdjc.exe
4604	Hmfbjnbp.exe
684	Hpenfjad.exe
3172	Hbckbepg.exe
2272	Hjjbcbqj.exe
1804	Hpgkkioa.exe
3292	Hccglh32.exe
2524	Hjmoibog.exe
4124	Hmklen32.exe
4516	Hcedaheh.exe
4060	Hjolnb32.exe
4888	Haidklda.exe
1488	Icgqggce.exe
4896	Iffmccbi.exe
3860	Impepm32.exe
4056	Ibmmhdhm.exe
1184	Ijdeiaio.exe
3216	Iannfk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ecmlcmhe.exe	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Lbdcekmm.dll	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fflaff32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqalmafo.exe	Ehjdldfl.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6416	6328	WerFault.exe	244

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1200	1524	96994440ed9bbe8f57526724e974bef0_NeikiAnalytics.exe	81
PID 1524 wrote to memory of 1200	1524	96994440ed9bbe8f57526724e974bef0_NeikiAnalytics.exe	81
PID 1524 wrote to memory of 1200	1524	96994440ed9bbe8f57526724e974bef0_NeikiAnalytics.exe	81
PID 1200 wrote to memory of 4812	1200	Epopgbia.exe	82
PID 1200 wrote to memory of 4812	1200	Epopgbia.exe	82
PID 1200 wrote to memory of 4812	1200	Epopgbia.exe	82
PID 4812 wrote to memory of 2768	4812	Ecmlcmhe.exe	83
PID 4812 wrote to memory of 2768	4812	Ecmlcmhe.exe	83
PID 4812 wrote to memory of 2768	4812	Ecmlcmhe.exe	83
PID 2768 wrote to memory of 4536	2768	Ehjdldfl.exe	84
PID 2768 wrote to memory of 4536	2768	Ehjdldfl.exe	84
PID 2768 wrote to memory of 4536	2768	Ehjdldfl.exe	84
PID 4536 wrote to memory of 2664	4536	Eqalmafo.exe	85
PID 4536 wrote to memory of 2664	4536	Eqalmafo.exe	85
PID 4536 wrote to memory of 2664	4536	Eqalmafo.exe	85
PID 2664 wrote to memory of 1588	2664	Ebbidj32.exe	86
PID 2664 wrote to memory of 1588	2664	Ebbidj32.exe	86
PID 2664 wrote to memory of 1588	2664	Ebbidj32.exe	86
PID 1588 wrote to memory of 3104	1588	Ehlaaddj.exe	87
PID 1588 wrote to memory of 3104	1588	Ehlaaddj.exe	87
PID 1588 wrote to memory of 3104	1588	Ehlaaddj.exe	87
PID 3104 wrote to memory of 732	3104	Eqciba32.exe	88
PID 3104 wrote to memory of 732	3104	Eqciba32.exe	88
PID 3104 wrote to memory of 732	3104	Eqciba32.exe	88
PID 732 wrote to memory of 3720	732	Efpajh32.exe	89
PID 732 wrote to memory of 3720	732	Efpajh32.exe	89
PID 732 wrote to memory of 3720	732	Efpajh32.exe	89
PID 3720 wrote to memory of 3852	3720	Emjjgbjp.exe	90
PID 3720 wrote to memory of 3852	3720	Emjjgbjp.exe	90
PID 3720 wrote to memory of 3852	3720	Emjjgbjp.exe	90
PID 3852 wrote to memory of 3728	3852	Fbgbpihg.exe	91
PID 3852 wrote to memory of 3728	3852	Fbgbpihg.exe	91
PID 3852 wrote to memory of 3728	3852	Fbgbpihg.exe	91
PID 3728 wrote to memory of 3812	3728	Fjnjqfij.exe	92
PID 3728 wrote to memory of 3812	3728	Fjnjqfij.exe	92
PID 3728 wrote to memory of 3812	3728	Fjnjqfij.exe	92
PID 3812 wrote to memory of 3464	3812	Fqhbmqqg.exe	94
PID 3812 wrote to memory of 3464	3812	Fqhbmqqg.exe	94
PID 3812 wrote to memory of 3464	3812	Fqhbmqqg.exe	94
PID 3464 wrote to memory of 3404	3464	Fcgoilpj.exe	95
PID 3464 wrote to memory of 3404	3464	Fcgoilpj.exe	95
PID 3464 wrote to memory of 3404	3464	Fcgoilpj.exe	95
PID 3404 wrote to memory of 3228	3404	Fjqgff32.exe	96
PID 3404 wrote to memory of 3228	3404	Fjqgff32.exe	96
PID 3404 wrote to memory of 3228	3404	Fjqgff32.exe	96
PID 3228 wrote to memory of 1100	3228	Fmocba32.exe	98
PID 3228 wrote to memory of 1100	3228	Fmocba32.exe	98
PID 3228 wrote to memory of 1100	3228	Fmocba32.exe	98
PID 1100 wrote to memory of 4580	1100	Fbllkh32.exe	99
PID 1100 wrote to memory of 4580	1100	Fbllkh32.exe	99
PID 1100 wrote to memory of 4580	1100	Fbllkh32.exe	99
PID 4580 wrote to memory of 4772	4580	Fjcclf32.exe	100
PID 4580 wrote to memory of 4772	4580	Fjcclf32.exe	100
PID 4580 wrote to memory of 4772	4580	Fjcclf32.exe	100
PID 4772 wrote to memory of 1628	4772	Fqmlhpla.exe	101
PID 4772 wrote to memory of 1628	4772	Fqmlhpla.exe	101
PID 4772 wrote to memory of 1628	4772	Fqmlhpla.exe	101
PID 1628 wrote to memory of 4396	1628	Fbnhphbp.exe	102
PID 1628 wrote to memory of 4396	1628	Fbnhphbp.exe	102
PID 1628 wrote to memory of 4396	1628	Fbnhphbp.exe	102
PID 4396 wrote to memory of 1360	4396	Fmclmabe.exe	103
PID 4396 wrote to memory of 1360	4396	Fmclmabe.exe	103
PID 4396 wrote to memory of 1360	4396	Fmclmabe.exe	103
PID 1360 wrote to memory of 3516	1360	Fobiilai.exe	105

C:\Users\Admin\AppData\Local\Temp\96994440ed9bbe8f57526724e974bef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\96994440ed9bbe8f57526724e974bef0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\Epopgbia.exe
  C:\Windows\system32\Epopgbia.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\Ecmlcmhe.exe
    C:\Windows\system32\Ecmlcmhe.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\Ehjdldfl.exe
      C:\Windows\system32\Ehjdldfl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        27⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        28⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        29⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        43⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        46⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        48⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        57⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        58⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        59⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        63⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        66⤵
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3920
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        68⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        70⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3512
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        74⤵
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        75⤵
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        78⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        79⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        80⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        81⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        82⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        84⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        86⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        88⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        89⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        91⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        92⤵
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        95⤵
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4084
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        97⤵
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1376
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4308
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        101⤵
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        103⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        107⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        110⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        111⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        112⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        113⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        114⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        117⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        118⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        121⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        125⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        131⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        132⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        133⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        134⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        137⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        142⤵
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        146⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        147⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        148⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        149⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        150⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        151⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        152⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        153⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        154⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        156⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        158⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 408
        159⤵
        Program crash
        
        PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6328 -ip 6328
1⤵
PID:6392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
79KB

MD5
45b536802de0c44316e812ab67bbd26d

SHA1
ff53ce1edcb7f4e724f2304940168d277ea64e69

SHA256
59782e0d49b3b09d56df09ae78c3bf5227554dc0e969c857042ef6190028d07f

SHA512
0d62b46824751642b4a250daadb87eac7c475326906255657c6012cfdc21e7503ec033877b0f494f1fc05aee0078056df486cbcc7ebaf1fe47d5986dec63ff9a

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
79KB

MD5
4fcec3545cd96ddd6a4dee3f3c79bbd0

SHA1
961db7592fb5c69e3a633f234f2ee3c3c1bffee5

SHA256
f7c026dc445fb7af37886216f9979f9751af80443ca4cb2f04b2c11084c14675

SHA512
0660c45f59cfa9b0f676e16f3c7f7c9d36624972e7f3706fa5b79d52ca7d0961fabe60954423e5fc8eb0676bab583d491e29088fa36aeadfc4e29b18f2d855d9

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
79KB

MD5
99d072ca2e2f27bfa785748fb75717ae

SHA1
f96281bdc60aea611b692ea8018c15e988bbece1

SHA256
297d2b29c117c8c05250235419916017e827ca593044c51a5d453fd2897798fb

SHA512
c9e15ed66deae249ffc7996d4ba076c5d79f406f92f00606b313c378b33afde907a6e2b962be2d6b3c690f55cee9cb0c70b1aa8b37a385345238ec190ed88857

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
79KB

MD5
ae264fd73ee0b56c0dd20f1bae548bb0

SHA1
d561392893829de8ffb577f7614d2a6627fce017

SHA256
c83bb26c870ac77ad7636e6072b03f1cab12f1ee7cf2cfc6b66d0b0ffb212b6b

SHA512
0c61903d7995a35464759ba2a4d805585b78ba0d4bd4ff5ef0f3269fc18b5183ac39d36d0a02a6690bb570eee1bce38d8520fea1bf2931fbb0a90b75f97a0470

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
79KB

MD5
3aecae8a2fdad0313de04e80f2c90817

SHA1
2a57cff9eb9d5654c9e8c4dd882c3bceb2cd77c0

SHA256
386b60f8f8299c9e04f4e6750c244117ce041408007253c679beeb956a51aa8f

SHA512
5d7c0f9c5e4e2822241c86f5118d15509d902da4ddebe1766385387524a44b9c641d07f9d9d70b1a2a91c4a29071b4fa39b89639b646084bd51bd9f45d4d9988

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
79KB

MD5
f952dc84296fd5d820ca53f426cabe13

SHA1
2c5fb82b2b407b8725d00a7dbc75f4f958523015

SHA256
4157d12260f5e7f5d17054ebaceb0ef66278a068902eb65cd9dd79a4e77f3875

SHA512
5147c6eddda9937d65054e579885fd3f902a1eabaa5ec350f80b2e61ba79d1fe3dea99ee6fa433a45fb0e6c30db207f6ea6549a0611b3bc45953595dc59d43e9

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
79KB

MD5
9a285ca2b018d67c79209be7d64a3143

SHA1
b9191249ac4d73bdc538e7ec40a680b277786854

SHA256
0c10f25b6bd1596816c4b22ddd358dd7500425164ca2eec3d6ae4265d4a38a1e

SHA512
92fff4551940193ddd45eeb2bb70e686494b04503a26c08f3b5456d3da170a50162a5349af89d4376bbd1d845bb520d387afd493bb96009aa3a0ddbeb677495c

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
79KB

MD5
8db22828d514d7e4fdbec8b640c34eea

SHA1
bd0426bc36e53c885107850c1a08d0ff52b8a530

SHA256
fb7cf36c2e4b5f43923590b907cd60bded5895de25e441f3413622deffedcf29

SHA512
33b596667c09b7436971d5b45d0469207b8b785d05469432ff1dda126a38245bbc5485cb01c50721decd34739a2d91e1417aa1f365925b7f6cf4cd40e0ca4d81

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
79KB

MD5
1fd348ab3013ee307f49abea8e5d7304

SHA1
a836c76b3b4f72f9f43f760c1fe00f61c78bc285

SHA256
32893fe58ecb839adb34c16bfbc82fa706f0f955770dbc3115e7b180a2ef49bd

SHA512
006dc18896bb29fd92d61deaebe49b68e3edf9619b74a62c281885f3ffaaf571beff91f7a4518c88727344e128f1c94476bef7b55bde7b9600e7ebc081a76f5e

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
79KB

MD5
9ad78f1c44ccfb063938f502580b4c1b

SHA1
9aa9609ee3244e098b40a2d0124d809254e19421

SHA256
85123e8a120ae0144b38c319300cf786a41d060e4bb449318597f90c70ab0fa6

SHA512
ced9a8aaa73ab6b439eebc67757f6cd24eecba7e4bed9fd8599eca0919f8ea911e19a0eb93e20c3d3e0efaaf174dd6c643d158e2eb223f7ce0afde1cb14000bf

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
79KB

MD5
f0c07b69645a62c3d031b503690df88a

SHA1
a8441d0a83dc2646f1d53fbef79a9c1c18e889da

SHA256
7950a34827f8e534063a59513db99181ef511eb472100c8f844504f377a1a23d

SHA512
bc8bd078671c6a08298e39f1c3dc3849ddba2cd8a68c672d376f9615b3e6efb75908013711173ece7219918da5a8621388228d41c185bd1843fbf07e7fe403bd

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
79KB

MD5
3143edc2115c9b7a1765179ded5a8f32

SHA1
61d48fd190debb036c61a6277581e1b8adbdb2f0

SHA256
9685a4387289dd5bb551a1c449c512148d332a7fa2808af37f05a5338c69d1a3

SHA512
806f8a6ac73fdd34cc9de6203722de77dda6199913110ac2186f27d2964725eacb5a60aecc1029f19b9ba716a862998819b4092137cdee9449cabbcb47a97fb3

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
79KB

MD5
d509d0a19f5f1d4de74de4834a2ba919

SHA1
b2da5730b7b6c7cb5e7f8b131cb13a802d5523e6

SHA256
686f75e3795ad89cf715599ae14d308a2d5dc768caaf0af9dd3a1aac8530f791

SHA512
c2ec4660b0d108003b77ff66014926680f23ffb161cb6c0862bf195db6229a23995bdcbb5c62d7c185144a9098ca3322826f819d6c180d3dd1502710ec98cc31

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
79KB

MD5
cd7d5fd57d6d845ce994e6874ceaebbd

SHA1
bc36a81aa337af8d8deda3151a7dce9b3381a032

SHA256
292a2da81889310004b1203f6eff321c7b72cfb7a28f1c467a7592d7d1a4b7e4

SHA512
1c938ef0022ae6ad14349665720e8dae94f6ff1304d61fcf9b4446b2391d719229f696d58ce931a8dc33f4ae1f951d8a9b6c74b443acb9ca80f715b42f85c473

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
79KB

MD5
9974da8d1410a353e4b7bf5d5be5e022

SHA1
cbd53b4f3edf3091ba2f68cf3dccca442f522e03

SHA256
d5d4eb7f7c529355c72fd004d649dcb4af2509f920bc6eed19aebd77a62da6ee

SHA512
1579dca7c107f7dabab4a77c78e46d2ae2580266141b328e770412a4e3be8f85acdda0cfd95acc0a47ae202c1fe8ca3e91bd40a018695cb8a4e99520a9e5b427

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
79KB

MD5
5995faf7b130b478490b3bf68b16a254

SHA1
4a269b93d26051230fa9c499c00d7022c1258a6d

SHA256
f969f22c71b59d97fdd87343acb1a77debabd83cfb7a0b3fc4e8a5cef374745f

SHA512
edc4626e9d6c06dcf229d4f1b430d9391fa0c20ec94c883123197c12ec765c59e5464b0b71cfe1f1c3eb8492657875f03618fb2c12a9991384485d0a516385ad

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
79KB

MD5
673924d7641592eede925bf419d21fa0

SHA1
98350edbe3fc196a24bfd989b29b40b1c2b15153

SHA256
ef71896b9ce327c3a8d475d5b514c30d03e867aaf219dc9d47a41d60e34bbce2

SHA512
754a5622975ebeebe619dabd1b741b2d746356b472d319d6b3cef4e67fac312e92d70b1ded243d9ff8e774de9fe56185be03af83460a554f3a51b48c867eef93

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
79KB

MD5
6583b8889640d328303d70af8e96b0c4

SHA1
de84e94920c25588a7bb5b253bbfeb401db55cbf

SHA256
aa4cf129d5a1a8fc9236ad111ab93cf7beb4455fffa40584ba3e6866568e5b3c

SHA512
4d8213116b26e3c13f01a51cfc2676a46991a845f70929ff93a1586b2981e3fd590e742b9690c47863d0a75d8f132fa357f42e89e783eb0f8450a86ce5258d8a

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
79KB

MD5
ee357e693ae7f796ce69481bdc45a3a1

SHA1
0137b6f4dadf1e82d41724910a941ebb0bcf1c37

SHA256
03dd23b78e5740df9f7e3089eab72ed5598db16d12fcc021895134bda1212ee0

SHA512
2dc9c6b737627eb8b3a9c7eb3c4207a9990266ac1280a1f22dc50841a2079115e265df11598bc930a63ef86349b910277129edc1bccbbd9e6217465a1673b913

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
79KB

MD5
7a499262e9315b6214ebafed9cf9837d

SHA1
0083257edb64c50cf8cf7d9e87cf807a14e45b06

SHA256
8224fa0f7a27f86c23c975d5ee8deaf613229da8e9c5a88747a40d40c037e3c3

SHA512
a0c8250147e51a3792fc3d1709cb7f08bfb4a28cbba110fd78544590a58bb8db8d39bf8cb6e6408e26d99fe17a6a4f9e719cb34d6b8319cb214644c26812a938

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
79KB

MD5
5696e524d0d119377cebb5d4bfa5c3e0

SHA1
2eeed2f2562be97580c91643c9f646e502d3ce2b

SHA256
0a1339403b25e3e151c624f0dc5d6466a2978de3e2b89c5413141eefb450ac51

SHA512
4e7e426a04be78d66577a5decc4cc0e11bc00e191ad3ecf88df9c6983f5d95bf32d6e0bbe51ec86776d2285b348a8d6836bfb59733f0c4c1f1cb4fe8d9c0abc3

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
79KB

MD5
0de255dcd75327b680aa6218c5fcc396

SHA1
e4dc76f1144def4161fd18e3f8242715c8c45edd

SHA256
206675138ca606fbbcfb092b052bbd7f045652de114a933eb36268d54e1e3908

SHA512
a8211d07cab54579154db5488112da6bab6bafe6d75f1456286a44e346c3ea1d2c8ce1ca8b21d868f169a9f1a42522a15ad084cb0f43413245b328b8e4788564

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
79KB

MD5
44316b403153aab11e48718240734714

SHA1
0c66731d5ed0551bd30945fd972b8348d665a82e

SHA256
8500c08e3c406cbbb9143b1a20d3cbfbb822507f7f1da74a0d17556ee29727e5

SHA512
fe2676b0491bb0406f46f544e1bc685643625ceaf1b728db56270f355d65d07c6b6e7c38daa17e099c3ca146e489366dbfaf187911877b784300cbfa6d0035bd

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
79KB

MD5
b82b34f5036c0f0e2f5c9d18b399a6bd

SHA1
d1df2a34832499fd0ddff26491a6fdb9322cb15b

SHA256
7be5383e8db199287fb89aa044f8515a1a39fbd5777135b709275492d1afe509

SHA512
9dffcff91bd907ee580b286ef0fc4302eb13484fd8c0c9fe7cd71c332ac9a8101ecf2558eb331ceb9e599e91cc65bff1b15d7424bd4ac42326bb4159d92bb342

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
79KB

MD5
62a735e3d0874ec149f2136a9b198cfb

SHA1
e7299c442bd7ec4c4b572358094626d065bfafcd

SHA256
3afec2b79ed3350bc1cb1177b4670aa99e14c4d5e4e55c054ad4644bb701e85f

SHA512
367cb1be00ff0b5dbf500300b6112a0b964109393897b9120dc79f9e4fbd6279ea841f8e0999abc9b20bdd943db1647711ed0246198f5992a062d57f576d58d5

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
79KB

MD5
09c7efa78bd1cae111b99df0a2341e88

SHA1
d646e895d976600f1a6ea316e39dca6d6cc29970

SHA256
578e15eff7946729b3f474e48facafdadb3ab218c58c4fb30e9a349d53dfb3ce

SHA512
4f9d46d486e818db578787a4aec528ced589c87d4ab361a29b651f4b8243f971f2cd00d038ce889dd44763815fef3178d8735d3c59b877acd5fa8ec31e8caa73

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
79KB

MD5
f6d0805bbb31f8d175df2131dfbb8199

SHA1
b286468811b132a28e536f980c260f77ca27b64f

SHA256
2b71e8b127272043c9cfffd4237c3e56bd4736fd05ee2b8ea21352af8a0a88ec

SHA512
0e584279cb341936384f6a25b498baa7c23c3364b189aeb109fc7f2b091b9e7575e2c167fed141e4ac5d3b47599b3e0743bfa507f1c09923f203e71c83fb4e9c

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
79KB

MD5
08945c47e862420ecfbf721a24a03f09

SHA1
8656a2cca7c395c620aa7294e21dc6bdd05771a5

SHA256
4df29e8b02707be009997714ac6301f599c777ad661b3687ba3bdf3e770b1809

SHA512
e68999a6bdd79f5fb5d3652b72d00ee4ba9df4c0c014208e6d7eb255d12add5b2956fd4e63e43fcc44ec12a42ba809598270ded5ccfd5577f6d6c57d66a0b6c5

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
79KB

MD5
7c6546d974046fd552720f023eb4ea5b

SHA1
57deee309100920906d483479a7c06843f6b2a4a

SHA256
79145ede7b53bd156230bf4c6b686c944817b5fde0aedf3fe8dc1d9e7d8fc774

SHA512
338dc467f62c62e1d32062373025917992f4c01eaad73ef6053c52c7c006a8fdeb83ba0d1cfcb841ef72c16d736f41617943c8b8bf5fff206f9bf7fc7f8036ff

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
79KB

MD5
cddd52170f74de35f2bc125e2ddf1065

SHA1
9faf6273dc46d4e6ee21ba4aa58d0b835678385e

SHA256
d8c5649b965118f6e5cd09077ac2ecfb86a48cce6305ca17f5001e3e9e07f4ae

SHA512
3e8b095794feb58c19683d5f1854611ae69eec04001f2d21916ff80c52696f5b8e4435ce2ae7c8fdac857e33c997510e398f84e501f9cc52b4d908151ca57ab9

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
79KB

MD5
d6d49aea411a96dfb130b7211b3e48b5

SHA1
8a47d62b0e7ac382accbded1b0def157b6531e24

SHA256
37a21a3e6036db750add6e4b200f8733d5e6e31a4ac20c5c78db5ab6c30e5da8

SHA512
116a92e11ebaecbe9e86eb34c6365bb84d4ffaa0d7e43a245464ce22ebc0598570d9f5d2a305dd436f9d9b9ad5f9796fd8cc1876d1daed1b63877f2dfd022f45

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
79KB

MD5
576e50c4954d13ae443096011e32722e

SHA1
55a01d47a7999d5523d5968ce9144e0c23a10804

SHA256
5b75eb6077366377523169956072b73470075fba7fb6f62ae2c21067cbf7b677

SHA512
cad3457807f888cb9eba8f2d863b68a495e4d591672bccf4b68ed406a32fdb235c295acae141c73ccf811ffe506cab419d1a2fdd9549ea79b301b02be5436b0e

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
79KB

MD5
f6e32febe7a60ab369d462da6c4bb2ae

SHA1
027cdb136a07fc53e4f80feaeffd1e6f97438fb5

SHA256
47b93f9e559d848fdba02dfea5fc25cf7cdf7921d78d3a5f285e1a9fffef14ea

SHA512
395b27002ed687ef39b4d6647c800dff0d76de0353e9747132b455a58aadd02912c72fb153aeddd76bf502c624805322212a2f6d04835485bbe6f69263b60773

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
79KB

MD5
2ee43f71089091555f4881f0c285ec17

SHA1
b857071f088fc0170a8d2df894d03a18540d40c3

SHA256
0ca41de7d9537ad3ea7ac8666073dbacd1fae6c89ece7ab9c9bd4ec32b124846

SHA512
a6c8a75c07afc9e4bcf0d007ec9857818990c79db8233ab6c766b42dc74a6348101a7c019b4f384d0a7dfd74ddecfddf64b851e55c4349f43ef4a688587a8479

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
79KB

MD5
c5e87aaf5f5b4af10a8f64962efdf3b1

SHA1
02c84dd8692e8cd66a9c1db6bebd1df8b7611038

SHA256
b93da86d0d6e00a1d469196c0a2b82ad1764da6a9c99459c297241535dab3af3

SHA512
c1db8b5bedcadf2e6582492e07ae42941f987abd0282c864f86007d8ad1111728dd8bee8c9e3c15ff7d9b4a82e9d3968efcad8696b7391959f2e348223b75aa7

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
79KB

MD5
79b11fc677483ca1e3bd78f647f6dbff

SHA1
2d4f5686fcbc2398ab64b1393681fe3d03528700

SHA256
9359f9115a7814742c99707bf43df77b34f6a641ec4f663ae3fec3ecc22347ab

SHA512
74106bc96e3f2f4ca54a78ae7e79dfc3552b8b69753b9af9b06c91034ecc79922e2810f3263a13cbe51e554f64e9115edeccc6f581b207c207fb48fcce9da1c3

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
79KB

MD5
865ed9167d8ce06acfab89fd67b5b3b5

SHA1
d483e00da0e7be9718f6695dd30b7fd0d6b46b6d

SHA256
d9697e806be9fdc44367cb51be15d6d0ca798e2be4c3940f4085034caad32515

SHA512
9a1299c32a238fb9104a8224829c39ab3f5646215e6d45fb3d149783a8355ca74e8e68f34c663e0adb8392aa1664cde1e13fbba1e2c1d221a10512ce33333243

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
79KB

MD5
44505e98791d87dd8eef11edd3b02f0c

SHA1
12227f6c2b5700efbb78db96ac8d70e92e8f8b0f

SHA256
65e4c6fa1723462ffb0155c82bbc89d2a2a33433845ab3dab366dacff2a8c6ad

SHA512
76f564e21843f55c1053308d738bd1574b0155ca1676d30958595df54d6a2962766df3b5069776aa24c2efed4f07ef9b41e14ac399b8a9a5e252b548483dce8d

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
79KB

MD5
0601930c45f1ad54599cc2ce01f558d8

SHA1
c34aa2287d578819ce21059bf52cd7e2a9460268

SHA256
be8ea88b0501e09d39a8e38cc61f2f49e47ce3703aadc01ed23a415d30d9f53d

SHA512
289a2adee738b395779d9fbf8e9bc7b1aff5d704d76ca7b6739b11a8166fd115bb7eba16f7b834991dedbfc7d276e005ee6e0591d150ad2b351a91990a2605cd

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
64KB

MD5
519e6031138ea1564ffa4633404358a2

SHA1
23ca78e70e985979a73a6f59ad3486ec7a2fe8a6

SHA256
d206211f9917bda60604d25f44577a7264ae33d94b05263a07d4f40116b53372

SHA512
a9ef441273e27884551e750b6d152246576ac7adb1cc756c31cc91d4b2f7252a03b87ad1443637cfd9f4bbc6a14709768abfe1f0d7854c2cb4f743ef09bacec2

Download Submit
memory/396-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/684-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/732-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-570-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1100-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1116-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1184-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1200-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1372-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1488-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1588-591-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1804-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-531-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2364-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2396-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-596-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-603-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3264-597-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3384-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3404-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3512-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3812-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3920-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4180-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4604-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4636-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4664-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4668-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4812-562-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4812-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads