c505dfb7ca10608c676159b718129fb20d286434817fb13740173a8896bf302d

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe
Size

318KB
MD5

306076db14878ad71840f93509b0fe00
SHA1

798d7fd90d398f10de62d94246b0600500fef995
SHA256

c505dfb7ca10608c676159b718129fb20d286434817fb13740173a8896bf302d
SHA512

dc1a6e1dcaa28aa0172b30a84a1d76a5176b679270ddad79f3d8596b511825649070f81cd65a71c9313d815dc7eb199133591e232569042c042405a847663405
SSDEEP

6144:v6VqjRVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:v6VqO4wFHoS04wFHoSrZx8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe

Executes dropped EXE 64 IoCs

pid	Process
1524	Dcopbp32.exe
2740	Denlnk32.exe
1236	Dofpgqji.exe
3032	Dadlclim.exe
4876	Dljqpd32.exe
1140	Dagiil32.exe
828	Dokjbp32.exe
2276	Dfdbojmq.exe
4140	Dchbhn32.exe
3540	Ejbkehcg.exe
4272	Epmcab32.exe
4964	Ejegjh32.exe
4044	Eflhoigi.exe
2128	Ebbidj32.exe
5004	Ecbenm32.exe
2540	Efpajh32.exe
4308	Ecdbdl32.exe
3368	Fhajlc32.exe
4172	Fbioei32.exe
2424	Fmocba32.exe
5000	Fcikolnh.exe
1916	Fckhdk32.exe
3848	Fmclmabe.exe
4600	Fobiilai.exe
2704	Fmficqpc.exe
3096	Gcpapkgp.exe
1920	Gmhfhp32.exe
4860	Gcbnejem.exe
1788	Gmkbnp32.exe
488	Gcekkjcj.exe
4776	Gjocgdkg.exe
4468	Gbjhlfhb.exe
1160	Gjapmdid.exe
2464	Gpnhekgl.exe
4392	Gfhqbe32.exe
4580	Gmaioo32.exe
2588	Gppekj32.exe
3616	Hihicplj.exe
4420	Hapaemll.exe
4648	Hbanme32.exe
840	Hikfip32.exe
4880	Habnjm32.exe
644	Hcqjfh32.exe
1188	Himcoo32.exe
4572	Hadkpm32.exe
2736	Hccglh32.exe
3436	Hjmoibog.exe
4816	Haggelfd.exe
2200	Hcedaheh.exe
4756	Hfcpncdk.exe
2832	Hibljoco.exe
4076	Haidklda.exe
3860	Icgqggce.exe
3844	Iffmccbi.exe
3736	Iakaql32.exe
3388	Ipnalhii.exe
2104	Ifhiib32.exe
1072	Iiffen32.exe
4888	Iannfk32.exe
3580	Icljbg32.exe
1664	Ijfboafl.exe
4312	Iapjlk32.exe
1604	Ipckgh32.exe
1512	Ibagcc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Dljqpd32.exe	Dadlclim.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Dokjbp32.exe	Dagiil32.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Dadlclim.exe	Dofpgqji.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Fbioei32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Ecdbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5840	5708	WerFault.exe	220

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkkd32.dll"	306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1524	3352	306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe	80
PID 3352 wrote to memory of 1524	3352	306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe	80
PID 3352 wrote to memory of 1524	3352	306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe	80
PID 1524 wrote to memory of 2740	1524	Dcopbp32.exe	81
PID 1524 wrote to memory of 2740	1524	Dcopbp32.exe	81
PID 1524 wrote to memory of 2740	1524	Dcopbp32.exe	81
PID 2740 wrote to memory of 1236	2740	Denlnk32.exe	82
PID 2740 wrote to memory of 1236	2740	Denlnk32.exe	82
PID 2740 wrote to memory of 1236	2740	Denlnk32.exe	82
PID 1236 wrote to memory of 3032	1236	Dofpgqji.exe	83
PID 1236 wrote to memory of 3032	1236	Dofpgqji.exe	83
PID 1236 wrote to memory of 3032	1236	Dofpgqji.exe	83
PID 3032 wrote to memory of 4876	3032	Dadlclim.exe	84
PID 3032 wrote to memory of 4876	3032	Dadlclim.exe	84
PID 3032 wrote to memory of 4876	3032	Dadlclim.exe	84
PID 4876 wrote to memory of 1140	4876	Dljqpd32.exe	85
PID 4876 wrote to memory of 1140	4876	Dljqpd32.exe	85
PID 4876 wrote to memory of 1140	4876	Dljqpd32.exe	85
PID 1140 wrote to memory of 828	1140	Dagiil32.exe	86
PID 1140 wrote to memory of 828	1140	Dagiil32.exe	86
PID 1140 wrote to memory of 828	1140	Dagiil32.exe	86
PID 828 wrote to memory of 2276	828	Dokjbp32.exe	87
PID 828 wrote to memory of 2276	828	Dokjbp32.exe	87
PID 828 wrote to memory of 2276	828	Dokjbp32.exe	87
PID 2276 wrote to memory of 4140	2276	Dfdbojmq.exe	88
PID 2276 wrote to memory of 4140	2276	Dfdbojmq.exe	88
PID 2276 wrote to memory of 4140	2276	Dfdbojmq.exe	88
PID 4140 wrote to memory of 3540	4140	Dchbhn32.exe	89
PID 4140 wrote to memory of 3540	4140	Dchbhn32.exe	89
PID 4140 wrote to memory of 3540	4140	Dchbhn32.exe	89
PID 3540 wrote to memory of 4272	3540	Ejbkehcg.exe	90
PID 3540 wrote to memory of 4272	3540	Ejbkehcg.exe	90
PID 3540 wrote to memory of 4272	3540	Ejbkehcg.exe	90
PID 4272 wrote to memory of 4964	4272	Epmcab32.exe	91
PID 4272 wrote to memory of 4964	4272	Epmcab32.exe	91
PID 4272 wrote to memory of 4964	4272	Epmcab32.exe	91
PID 4964 wrote to memory of 4044	4964	Ejegjh32.exe	92
PID 4964 wrote to memory of 4044	4964	Ejegjh32.exe	92
PID 4964 wrote to memory of 4044	4964	Ejegjh32.exe	92
PID 4044 wrote to memory of 2128	4044	Eflhoigi.exe	93
PID 4044 wrote to memory of 2128	4044	Eflhoigi.exe	93
PID 4044 wrote to memory of 2128	4044	Eflhoigi.exe	93
PID 2128 wrote to memory of 5004	2128	Ebbidj32.exe	94
PID 2128 wrote to memory of 5004	2128	Ebbidj32.exe	94
PID 2128 wrote to memory of 5004	2128	Ebbidj32.exe	94
PID 5004 wrote to memory of 2540	5004	Ecbenm32.exe	95
PID 5004 wrote to memory of 2540	5004	Ecbenm32.exe	95
PID 5004 wrote to memory of 2540	5004	Ecbenm32.exe	95
PID 2540 wrote to memory of 4308	2540	Efpajh32.exe	96
PID 2540 wrote to memory of 4308	2540	Efpajh32.exe	96
PID 2540 wrote to memory of 4308	2540	Efpajh32.exe	96
PID 4308 wrote to memory of 3368	4308	Ecdbdl32.exe	97
PID 4308 wrote to memory of 3368	4308	Ecdbdl32.exe	97
PID 4308 wrote to memory of 3368	4308	Ecdbdl32.exe	97
PID 3368 wrote to memory of 4172	3368	Fhajlc32.exe	98
PID 3368 wrote to memory of 4172	3368	Fhajlc32.exe	98
PID 3368 wrote to memory of 4172	3368	Fhajlc32.exe	98
PID 4172 wrote to memory of 2424	4172	Fbioei32.exe	99
PID 4172 wrote to memory of 2424	4172	Fbioei32.exe	99
PID 4172 wrote to memory of 2424	4172	Fbioei32.exe	99
PID 2424 wrote to memory of 5000	2424	Fmocba32.exe	100
PID 2424 wrote to memory of 5000	2424	Fmocba32.exe	100
PID 2424 wrote to memory of 5000	2424	Fmocba32.exe	100
PID 5000 wrote to memory of 1916	5000	Fcikolnh.exe	101

C:\Users\Admin\AppData\Local\Temp\306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\306076db14878ad71840f93509b0fe00_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\SysWOW64\Dcopbp32.exe
  C:\Windows\system32\Dcopbp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\Denlnk32.exe
    C:\Windows\system32\Denlnk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\Dofpgqji.exe
      C:\Windows\system32\Dofpgqji.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:488
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        32⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        41⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        47⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        48⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        51⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        58⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        63⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        66⤵
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        67⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        68⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        73⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        75⤵
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        77⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3076
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        79⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4768
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        82⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1560
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        85⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        87⤵
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        88⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        89⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        90⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        93⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5088
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3544
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4332
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2196
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        105⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        106⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        109⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        110⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        111⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        114⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        115⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        119⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        121⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        123⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        125⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        126⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        130⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        131⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        135⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        137⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        138⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 400
        139⤵
        Program crash
        
        PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5708 -ip 5708
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadlclim.exe

Filesize
318KB

MD5
524b1a7d18b7fed1438589013ede6ffc

SHA1
d6b0788c981f6ae852342d5e6314140c87bb76e5

SHA256
b4e17f82602291ea39512d27f8c1f3024da86b026442fac735403a5be1c3f31b

SHA512
b7980c10ec5d489839caa76bf4d80d8c3df80d0fe302ead395ec138ac9b56f48ad30c929fe71dbd3dd86cf374565f5c8c8fc5a02e6e2346f6ea1f2529bfc5410

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
318KB

MD5
376480fab45e53d7e32ec30b01b7d8e1

SHA1
48a31525c70cc501d3aa38b4f4b9cbb05c6c3724

SHA256
d436e5749c8124c0175e6bb66dbae83c2e35c05f10c69b44f712d012b8452166

SHA512
c62fd8977bac31c629da4d2346da760e267a4fd0c37d8420c4ff50d24de068c7628bae60abcb41214111a0aa5fe2d0c3ff8701485ea6faa37f4a6aa350601ff8

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
318KB

MD5
d3fc32996f5f33946adb09c13a3b9dc1

SHA1
d972059b7f7dcd1ffd850203524ba756d5f1f81d

SHA256
28d94eda5755be99d222a722d1b8203d1d24b63af83afa0ef31d7a09f91f113d

SHA512
30cae869d97ce3d13524da5f67f827018b2f1343f0fefab643077b610844a31246302d2c5892f1262cda0dc385db2e2621c49d21880a15bde05ea84974110b29

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
318KB

MD5
d7b85ea8ceba15e7f637bc623135cedb

SHA1
8d4aadef8bef4fbbfb7548c1595636c840808c02

SHA256
aa34bd6859fd0e293a7fa79a2a320651e0a011ec64c2c6b5db1216cfca75fb95

SHA512
5e8c713c9cd8fa1f5955be40dd35d07fc7319d1b62cc90835a7e4a46f0b2fa0d58db311d201a8b7a001c3fad318c0cebac35b5642e73e47dea24763034e29f2a

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
318KB

MD5
3b49eb198a9b69f9f231ec67ae661c1b

SHA1
6a6eac98d702bf521092e9d91d3ba9855a00582e

SHA256
fd667b21ad24559e2acbdf003b8bdbc710e0a46301e8a96afba46d0b7df4726c

SHA512
d2c47a25a635ae17a9e47a4bee371f8e0fef6ce62bdd60c61dc012e806116dd47c4057335fa275c1aa217731bb2e3f70385a08fd899a28e1ed87cc9994d68491

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
318KB

MD5
2889e62625e26534a5e5e2413697c5fe

SHA1
d00d6b56fb2c2b2f105a2c3166b7bd2ae5f01e94

SHA256
361f5566c65e2dc1400751f51c191b73b8b636b35153d5b44d351589ce807b94

SHA512
9c9b7076e59cab5283b1566ae43bb6b403da6428d4a5e28cc1321e380397681d08d2244fb5fa2fd4d8e1eafbfc9c3b9b360f07be46e0118677e10dcd649efbc5

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
318KB

MD5
60c1c4a060fe3c792be313773fb0c59a

SHA1
47498914539f0bf1c0eec356d493465188105d8a

SHA256
13027bdd6f29ff98ad9a7417c84ee94d022a6d7da3e41f04481c0d55c6e638f4

SHA512
ee7caec7d03676c4a7bce977979f79dadb79cb609511642495d2ddd89d70f77f6825f2add528bfd598132d9038b161452257c1fcb8060d54638f87917ae8200d

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
318KB

MD5
d0540b3b6dcebb05d664ab2cf43559aa

SHA1
2cc8b4bd01eb757648f95753a5815521437b40da

SHA256
8df55c5e92a4c12eb61a7531e3770ce91bfdb4be0618e2791c969ff846e7351c

SHA512
a6f89a1998ae39274949e382d82ffb94531f79a0e32e56e22a0a7f6c901ec11b42ca30b88d918819213580e3e36859b6da6c65555b456637918b45dfa96f618e

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
318KB

MD5
c0dffd790293f1b6b1d09b134e28e0f8

SHA1
4ebb95db4e692e94ba9a0ecbf01b3b756856c5b5

SHA256
6fab39eb90da5ff4d90e0f4b075fda87fe347d8acea4c9ca6187fab718ffbfab

SHA512
021c2e377448a250b75ce4eca2a20adc9042ec3a08b827c0fa736cb332b5d2faff0e032b0693fa2c957d330f27c2bbab2bcdce91ace3badba272a517bd0b7ed9

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
318KB

MD5
ec7db74f591b48fd3654846ab13dcc04

SHA1
d8abb10b5113a654272b716958d3ede7ec709925

SHA256
fd4ddb6e80123a8f043868cccceb64b33363846b37b93b41185d43f24c20fdff

SHA512
47616ecb141537b78201b64b4ac672f6b1ccb704a8707ed4160c815c5beb6ce2c8cc00b6596c07b198f3a01aac495016ed6db7e0cdad78baa70c673bf27c51e8

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
318KB

MD5
9e3f6f9f43b1b828624ebb5c86443fad

SHA1
ae5803b00a2863f2792b710146770867d1d67c98

SHA256
e0fff6ac32d96f1760da98d9d9a03cec7bfc637e3af952f7c1b71599a799decb

SHA512
f21f0d3d3ee04563e851002f40605903fb8bc29febe64d692d3fe27d2c331fa1b553969bf34faa7bffa0211be22aa57bfb4d04da3a455a0ebce9d215c4017829

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
318KB

MD5
a591bb7bd46ae1c2ea80ef9a1aaa5cb2

SHA1
f55419198a1cb357e69cb0e4bf8779433cc50afc

SHA256
a6870f2a6748877ce3af84a4fc423d854e18e7d40a91386199b461ed1e54d914

SHA512
c975963e4684af6bcd91ce447a5317bed4cd08b294d870e8fff5be277b93172d08f5697f2e4babfdfcc29f310752682904e38cc6ec55c2b5256a20a0a6add976

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
318KB

MD5
1a2c04323ad00a91adc94f529dbc0b1f

SHA1
0dee04846ab5dee063fe1d26df16ee2cd6c88614

SHA256
f8518ae2124e9f630c4b2df9e7d1063bb5cd2ea9e388a7d181532ee736c206ac

SHA512
c23f8ee2d7704b1a9c0f77b472954f54eaef1f519f3cf67160d9d03cf2da83d433a12d084702516a22202ad8209d254205c3420aecc73065c96d94a77104382f

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
318KB

MD5
e265ebf678911cb018fe92e9dd21f2bc

SHA1
f23bb7204453251e5cd1c288c17c194b631ff83a

SHA256
c89a32306840ff247ba23c8b39e97c1f02ac0f0554f3609a536d2ff333054de3

SHA512
4e2d5a6ac2a9040fce154b5755bde7888f2f0425ac30b1ebb563dd6426649a6019a14f8cf726cd271fd933b77ec4ac7280044e7d8187a4f201c84dc0f0e12bfb

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
318KB

MD5
4e9bea3e4e68fd36fd6dd56516d96671

SHA1
c109dc4001d54f96a494469ab98288f550b85955

SHA256
a4204a1de992fe3895abbefb4b2291b858ed7253d378b7ad3ace7ce7d47b99ca

SHA512
fc928bd1f7cee521689374cdc09ab9aa729e159971e0ce1125dbea163bc0f449b6b4edaf4cfc6c5307fb7443f3e2ce97456d642b21ac55dd18dec69523fc74cc

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
318KB

MD5
c0527710d77931232360f7ab537f49e0

SHA1
583ba6f5ce294ce905c0ac34b8a5ba4bfed2dded

SHA256
50a88d4139e75b5b24251330757c48369cac57f6a3d226f11247994232778e78

SHA512
455bb495f2cfc8a6e3b25feea7f7ba6d978d58e205916746447ec75e953cd86cac49d15b88b7a046d87af6d1cc7d6157f547b3f537a98665c6566c1ab8048306

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
318KB

MD5
ea2e8383bb5a7b040756a40da0297c8d

SHA1
6f9210d2ab93e067c9159b58afdf95682370530a

SHA256
a5877bbd436f428dc8e2f2d79e8ce248b958ddfd5e5116cf1a8ff3580b98ada2

SHA512
9f8466eaa59f7839265c8b30dcf5b4fa74416ebb2762003775fd81c15d56e4ff31419efa7b94684f6a56b769c3d1a90dd0399967e146c490bd58f326d269b66a

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
318KB

MD5
0ab59360bfbb2ebf4cfe9d9aaa1d8953

SHA1
490806371624324db7e2f092f1a6d49420e0aa51

SHA256
a76904f7539204d3567955d7d1da61f78bcc354bf29dbacf880beefa6cdf61af

SHA512
07ed56ec1db2fc85701592afd609ac6fa61a4e0f3c98be9ef8edf0e4c6d2a8fc1a90fb0edcb0bb3d94fe396bfafb51554f815bc802b0432617035b775fd6741c

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
318KB

MD5
641ec6a75445cbea40369ca3600efc28

SHA1
2355e8815cf1ab859368c7bf9da3a16fea5b00bd

SHA256
f5ea8329bffdb546d6d3d1cdd61d29ec2288615b90c0dd7699c8c340be4e9b44

SHA512
95bbea9fe76128efabf0550cf19d9707d3ea24e5e0e5531c99ffae0b3b3d776b547cf672a9c2b59b2d40492c6638fc879677373fd849185b9493fedf4c9607fd

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
318KB

MD5
d4f19164c12b07b67d2e9596a5b86014

SHA1
e4193492abc93167d705c7e033d2a57cad941691

SHA256
11e79885e929fdda24e03058e34eb2b3ec0c0d518ebdb5db9ce8725c98b82e1d

SHA512
e466039f8b2ebbaf5ee6a3d4347fe036cf64c9a7b5555da8e7201ba0fbb084e3caa6fb1bb1551a797aba95d7a171ebe3bbe53f152503fa0bc8bc178a142315e5

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
318KB

MD5
10675fcc43968bb42a7e5dfa725d277d

SHA1
15f4f9779078c4ab53ca67be2dac654fce9b49e3

SHA256
596ea2a52a9115b245b9f7369834b9a23b5e10728d531b9493c4388256a7827d

SHA512
caaf320be4abe58ed998b96b3a0d1fdf5f6e8eafd787057548916aef9fdd893898dabbd2d6a8271ec1761147de6733659b33e5e2dc8eebcaf4a1b2115ce06361

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
318KB

MD5
c88ce11c3410831a28b3294e672c79ce

SHA1
a0463123dcc562de1d85ea7ec7b4fe5b1a22b540

SHA256
097cdbc7cdcbffa6b1130f1de4294468bbaff8945e27b821f263e80748e891a1

SHA512
527f0b3a087875d3e0bb4f99272eeca48c7e443de9fe321495542b661cb62da12db1e0d6e2428cf1ee8987b4c616aa5ba64888ea3eb674ef76b351c1b63f59da

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
318KB

MD5
d02f5a949d2481c59ed9a263fe1c10e8

SHA1
496347760fa8289f273eefc45ff42efa231d561d

SHA256
ed42d04b22c7665075f4515b6b003d8ad8312d4cc11341f0ef7968f74d1dc76f

SHA512
4142986a48da30755fb8b2ef3edc91821f8c6a32710120ffa0b20c24b22b0579d8773e9f35f9265fe948f5bc0e84e9d5dfa860d52b819147d4982c590fbfc22c

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
318KB

MD5
ab1d807437b8da64a175e5f24bee2d7f

SHA1
898bb22bb4559027350ce66040c8025b910d7e18

SHA256
33b80ae8d3821b408a8321ddf0304af39c92c46a65a0f17e4c7692492c3d0845

SHA512
eeddae53d7b23a47c541b4e6c1d2aa09246abb034ad0515cea37ea87d682731e510e33c7f887103a1132536926ce06999d8cc3e365a89953d7115a92ab02d7a3

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
318KB

MD5
1d054bfb1b7fd31d37c37fd078fc7493

SHA1
e343de0c0227c9c3d2a99efe398660b5106e7cdf

SHA256
dbdda50d6e8945347f1d25faab2987893813c44ebf7dde45614e548e4204c87c

SHA512
5535dfd23ce30314992c34dce6d00f139672d709ddf7d39365fef2cfa11f2162cce582068599bf072124e356fbf01d04bb9b57cb020c0bd0d61027a9a5e642ce

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
318KB

MD5
a36546f73fb3c26065e2c677aefa32d4

SHA1
0e3b09fc1c26c552803679af203bc8f407f80d3d

SHA256
af6e964d472f46fb8fb82ae57565cbd81f0f0725665c3bb5c2b4014ef217a4c4

SHA512
9159e5d1199e9e369f26d9ee41c03168874c27580968b2d6e611b8e8de1dd54b272b19b40a77aae3f4ea9325e0440ebfc268ea5cb315c786532474b5dd2d5d87

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
318KB

MD5
8d8237567d7bf99ff1f6eb11543681f2

SHA1
933d672a95d2e6b1ade1bc01c85795a581615b5a

SHA256
67c7ce9af8822f8381349811ae7d03eca78f0cfe43321d1d0433b5427902ea00

SHA512
5ceaac8cc92f41e7de566f10accdfc7a8c75fbcf6f9451eec6b4cfddb0d292369480d8173de74b77d7ec6d3a3042b6a50961ec41cb75b28af2eb5de3c6e50606

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
318KB

MD5
2eace47143769e8eedc3564175566001

SHA1
14cbe40c5cf179efdbb089ca0e16b3d1fd11399c

SHA256
31dded74893972f10d117737cc42855a88cdda0f147b2bb2d2c77af454e5dc48

SHA512
efbffcd78177d50120312fec59ff4d9bb291842645e1e6f2eabf0461c0b620ab239a6be21c5750b75a79d84827fe2b84706a23fea43150b510bd97428e3550a4

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
318KB

MD5
15b862e625c6d56eedfc094389637206

SHA1
a10dc7af1d39d7de7860876700669f7e408799cc

SHA256
218653ec16b3a71d811cb46531b09d487cda3363d2c5517533980221516d33ec

SHA512
78e115982516d65aa40eb908718cb3a87d883f85dccd7a2b30406a6923432fbd96559ddf9587f5a2569e77e9c9e0ad6d103a44ee9325c0b248ddda5f10344299

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
318KB

MD5
da7b9062932da498c9c7133a8cacaa7f

SHA1
4874aa7c1d34fedd74112e156018585fb681cbc0

SHA256
a21454ffecd1ba1edc6ba3c25648f6e6fa36c69de3c1acfb15ed4204fd5cc29c

SHA512
2d1e7c5ef3f589a9b50c567909be134be1ff4c64b74e52b8810c90df45a4c6ffdea7645f1a58ffbf8f034d08aac4321e2bfcfbbcae73ee8232b2203300ea99d5

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
318KB

MD5
30848ac7046374f50e1704f894aa60b7

SHA1
385797b80831ae4d5fec9edc88fd3a7b547bf83d

SHA256
72e4ae6f7cdfd1471af315c820027ab50eaa56269086108b19b977cc6c432118

SHA512
a98bb57d68e81d4991f88dfa4ed0e25715f966b29582f8175e5038d9b0a70132369c087fa021ded20f9823295eeee052c1010e676717a30d6a26205b6fb28786

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
318KB

MD5
75d9fcc06dbd9e7fad0f6e08d86c282d

SHA1
1bf24d0e0d72db5a82d9844261f1c1ec4ffb8bf7

SHA256
368197e0dde70b973e34d0a424b6d3466a0d86c558c8f4acfebbd619c3b9f0f9

SHA512
f60bdff2ed9d31d90e29f239ae2a89223e2cd3b2b4b26a6a9a48a23c2ca61a9eb8dfd4273dcaeea66eec25e4add5b8a643dc59eeb513becd1d228b2f17749c1d

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
318KB

MD5
0ebd5c96e340eb5d8778ffe47098b3ad

SHA1
30837b588982443eacf4952e1a6e3a7d62e697d9

SHA256
468d9eecb916a76d35955d3c85bed5d9f161bc218abb26a8415a77d31bf74dc2

SHA512
df2025b34b8e855487a0d0a8f95c16bbf830e34486a38fb4c1f75fd0a794edf802ce5604f13a362b90dc26a3645e699910ecae38251b3f1ac791e76b3fb176c0

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
318KB

MD5
8244c015716c94a73793720239da0c5d

SHA1
9f21acb6a33ef704142b811d6d7594988688a6c1

SHA256
b046e42b96232849fbc165227b9c2789aeafe83657d4e9c4f1f3b39d3c2f2b7f

SHA512
f25175b4c73b3df90acb30897f179f7ebbd773f2a61514f1b6dea14835babfd41ca2d90cffa433085c5347d4f24e1796adbe306a14bf2ebbfaff66acd3cb39aa

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
318KB

MD5
8917c20e18f2cbaa16524ac181a02a77

SHA1
5a6bc91d36287708c2853ee158a43b67fc668f55

SHA256
40a35988ce0cfbb575d18ab1bd5db391ce158acf0323f449723d1552043503e7

SHA512
274d48ce1c8c105110844f200e33a9072e98ba50198cd585871e462b12c83d79fc8231713a95ca988bacae90ec47a35e007fb93d78a13512e33ab4ebca5a4f57

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
318KB

MD5
3e495b9b976dfa276268d3c8d0583633

SHA1
400d381389df41fe8acabce8a705d12e81ce1f8b

SHA256
833feee681b7cb6b4eb53ce365c48ee7df1cb8cb5554182649ce4b9836e8a9e5

SHA512
c7c72cf4b60039603a94fe4ac655c1c886006d3785d250350bb9a5365115f29dd369729cc3b3c08ecf1c1057d5ac1419c7e2b4a81ed68202b79ab2341214f3df

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
318KB

MD5
3161807bf6939dd1c86e57d72146bdfa

SHA1
89b119dfb0ab7d592981a433b505bc097b1a7ba9

SHA256
f5634df0eb7271e7dad059d16c5b511e020b09386d68619e644e9189af938b38

SHA512
e9f822cd23e6a97bf0eb1e281aa400148ee54963ca574025901dcf9e99c0bd3c4e7053b173aaf2cb202879eb8c289f0ab3f6920360c97f47b26b748e6e77d0ca

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
318KB

MD5
c67e01be0737f0019862e5c2eaaf1ff1

SHA1
1e561725b0185d8e9492f9471b70f7c00797ea57

SHA256
1c439f1b83c81eb477a48ff3ba66a9eb851486b86ac0b796f4b3edb2a843c939

SHA512
ffe5da83ec71c039fb340208ed538bd3e63497bacac0df3b3e4e8423e5c9b02bdf15f4231c3b2242130c35aa4e1b295f63a12aae5cb5717e2aaaeb7e0cfc16cf

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
318KB

MD5
f394184ea7364811f4ad4fefa99a24cc

SHA1
7912c559a5438d7089a6645889e837d32f9127c3

SHA256
33df5ca2588727b2823653ff88951bcce793ae117f8bd055392368e4045e58c2

SHA512
a5d713ea6cc5efa7caa193037ab7b842d13f4e2a98eede78f895be46be878f047f184dc44c245372b6ebb677467e3c1010106c8d201c460d3324b8a1c8653c29

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
318KB

MD5
ab2f865b2835b595843e09cac2a30ebd

SHA1
53f6e580a5b600ba879b1d6785715abd45b958d6

SHA256
8caa9e5d0af0c40e41303266626bd50059ebeff8354b4f809937d80c87e991c4

SHA512
31d0821c925e8978a9f3cf962628ada5cac4d9fd7931543d57cb6ede690b883b68f55fd53f36aa5fcfdae0eed05a3f32ace8fea3a5b26d3b257dfbce65e17f68

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
318KB

MD5
6d1bead65924cd925aafc7645998093a

SHA1
2e7ec7e98bb6f0e38dfce97798d168056a0d0297

SHA256
4ed5312b7242d50fb971cdaaa151dc8fbd858be2e8258c027a5e6e2bccdf1f6d

SHA512
c804cf3e45e84438f31f5c2faf75a35562311914958447f2174b32f37e706dd951b1ca3242afa35f9e3651ac47dc1fbbc996ceca25df265b6b2b583894884990

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
318KB

MD5
e7c99a3a73dcf04f20b5387a2d8ff810

SHA1
2c4781b3628d1970eed398930ea051f2e1f95bf2

SHA256
2f687201ad5d207a96c55d4e5e5586a69cd6e14aed2e215b1e71a8925cfad9f2

SHA512
415b147d245c78ecd633a446a77dda6565d785fa1427c6580ec761228b4c8d7fa715e63c7e21a8d11230132d8d63c8b1ff718e6f57cb9d214dbe1d1c9f1c37d1

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
318KB

MD5
17d6520eadd0b75edf98618c13147678

SHA1
b47b4c52e44312b804bf68da515b8e63c1406b34

SHA256
8832478c777c2aca2bc70855f300e49c66d70e4c3ae7e4e50040952572948a2e

SHA512
7d4fb493a09168fec4b77dfa6e934e7145a91776c9c064089cbcfdb6d906b63942d9f3add17d6a5148f0063497e8cd5dc836d6f81aa94d76c30173b854e895a4

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
318KB

MD5
fb249e28912819db5a6ad5dfdee3692d

SHA1
96dd100797c8084255e9fa8d1f1e74bd1a19c07a

SHA256
1fa618a4f1e98de7fac749455d5b5fdd78fda26ced3aa8b8d24c4db7896c412d

SHA512
a3127395db1ccbc078e44e1b39132faa4b8bff412eed33998664bf31b4d198908eb34b239d632f7d4bd8f562166043ec0fe6da64ef59caad6e1a05e2caefe9e4

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
318KB

MD5
a532dfb79152fc21681cb78a038a31b7

SHA1
528382e199b28542045af640933bbc7a7c32b0e7

SHA256
e89c19b74e1c88c3c73cf53041d944e79d5fa1fd7ac7cbfefdb15f03d8ab1cc8

SHA512
fa5654e3e9810ef150852186f1e126aba819dfc6ddf4b129ecc8a454ed9870bc9d81fccdb5ec569107ec4a2f00d60a45e19dc7d176c51119bf3e17d12b73829d

Download Submit
memory/488-239-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/644-323-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/644-1086-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/828-581-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/828-56-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/832-488-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/832-1028-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/840-307-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/960-1027-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/960-493-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1072-406-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1140-48-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1140-1161-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1140-571-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1160-261-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1236-552-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1236-28-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1264-544-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1448-527-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1476-565-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1512-444-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1524-12-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1524-539-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1604-438-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1608-629-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1664-427-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1788-231-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1916-175-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1920-1119-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1920-215-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2104-404-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2128-111-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2128-621-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2168-997-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2168-584-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2196-967-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2200-358-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2272-648-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2276-64-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2276-583-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2424-163-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2464-1105-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2540-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2540-635-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-199-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2736-336-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2740-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2740-546-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2756-999-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2832-368-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3032-559-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3032-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3096-206-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3096-1120-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3124-458-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3168-526-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3268-452-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3352-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3352-533-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3368-143-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3368-647-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3372-464-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3388-394-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3436-342-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3540-82-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3540-596-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3580-417-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3616-289-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3736-1063-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3808-499-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3844-383-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3848-187-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3860-381-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3864-515-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3924-446-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4044-615-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4044-104-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4140-594-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4140-72-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4172-654-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4172-1134-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4272-602-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4272-88-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4308-136-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4308-641-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4392-272-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4420-295-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4468-255-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4488-475-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4572-333-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4580-282-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4600-190-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4648-301-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4756-360-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4776-247-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4816-352-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4856-603-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-222-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-1117-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4876-44-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4876-564-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4880-313-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4888-1055-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4964-95-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4964-609-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5000-166-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5004-124-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5004-628-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5088-622-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5112-485-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5384-951-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5428-952-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5512-945-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5556-946-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5812-933-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/6068-920-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/6108-916-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads