cca2130446efeab6f014c01328fc7c6ea1a4b2799d37d74be444dde6997ce7bb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f44bdac2c0e948362d6d0cc3505afa0_NeikiAnalytics.exe
Size

80KB
MD5

4f44bdac2c0e948362d6d0cc3505afa0
SHA1

3011aa01b49bd465e155c787f3142a30b1163e90
SHA256

cca2130446efeab6f014c01328fc7c6ea1a4b2799d37d74be444dde6997ce7bb
SHA512

cba2b7ccc8a70386fe93a0f779d85af6693f7662155e0df0e3827c315b9eac483df92356c14b8dea0f168a9d273c5e296de625cc7c74bbc7c966d208b44ac76f
SSDEEP

1536:XWPb2AUStZvXkKboYsSpNHmw/70Cxk49cs6U7J2LYaIZTJ+7LhkiB0:GPb2ApKEpEw/jZ9BxCYaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	Dphifcoi.exe
1424	Dcfebonm.exe
1696	Dfdbojmq.exe
2412	Dhcnke32.exe
1496	Dpjflb32.exe
4192	Dakbckbe.exe
4584	Ehekqe32.exe
2036	Eoocmoao.exe
760	Efikji32.exe
3600	Eoapbo32.exe
644	Ejgdpg32.exe
1716	Eleplc32.exe
4048	Ebbidj32.exe
4536	Ehlaaddj.exe
4080	Eofinnkf.exe
4588	Ejlmkgkl.exe
4068	Ffbnph32.exe
4516	Fjnjqfij.exe
3136	Fokbim32.exe
2896	Fjqgff32.exe
1972	Fmocba32.exe
4868	Fbllkh32.exe
2528	Fqmlhpla.exe
1552	Fckhdk32.exe
3116	Fjepaecb.exe
3924	Fqohnp32.exe
3844	Fbqefhpm.exe
4616	Fijmbb32.exe
1896	Gcpapkgp.exe
4468	Gjjjle32.exe
1508	Gmhfhp32.exe
1076	Gogbdl32.exe
884	Gfqjafdq.exe
2784	Gjlfbd32.exe
972	Goiojk32.exe
3644	Gfcgge32.exe
2232	Gjocgdkg.exe
3416	Gpklpkio.exe
3160	Gbjhlfhb.exe
4944	Gidphq32.exe
1600	Gcidfi32.exe
4912	Gbldaffp.exe
5104	Gameonno.exe
1272	Hboagf32.exe
4364	Hjfihc32.exe
440	Hbanme32.exe
2560	Hjhfnccl.exe
2372	Hmfbjnbp.exe
916	Hcqjfh32.exe
3876	Himcoo32.exe
4196	Hbeghene.exe
376	Hippdo32.exe
1528	Haggelfd.exe
4804	Hjolnb32.exe
448	Haidklda.exe
3152	Icgqggce.exe
3916	Iffmccbi.exe
1852	Iidipnal.exe
1672	Iakaql32.exe
4752	Icjmmg32.exe
1892	Ifhiib32.exe
1376	Iiffen32.exe
3344	Iannfk32.exe
2700	Icljbg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ejgdpg32.exe	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Ejlmkgkl.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5864	4876	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4f44bdac2c0e948362d6d0cc3505afa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpaojg.dll"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2732	548	4f44bdac2c0e948362d6d0cc3505afa0_NeikiAnalytics.exe	81
PID 548 wrote to memory of 2732	548	4f44bdac2c0e948362d6d0cc3505afa0_NeikiAnalytics.exe	81
PID 548 wrote to memory of 2732	548	4f44bdac2c0e948362d6d0cc3505afa0_NeikiAnalytics.exe	81
PID 2732 wrote to memory of 1424	2732	Dphifcoi.exe	82
PID 2732 wrote to memory of 1424	2732	Dphifcoi.exe	82
PID 2732 wrote to memory of 1424	2732	Dphifcoi.exe	82
PID 1424 wrote to memory of 1696	1424	Dcfebonm.exe	83
PID 1424 wrote to memory of 1696	1424	Dcfebonm.exe	83
PID 1424 wrote to memory of 1696	1424	Dcfebonm.exe	83
PID 1696 wrote to memory of 2412	1696	Dfdbojmq.exe	84
PID 1696 wrote to memory of 2412	1696	Dfdbojmq.exe	84
PID 1696 wrote to memory of 2412	1696	Dfdbojmq.exe	84
PID 2412 wrote to memory of 1496	2412	Dhcnke32.exe	85
PID 2412 wrote to memory of 1496	2412	Dhcnke32.exe	85
PID 2412 wrote to memory of 1496	2412	Dhcnke32.exe	85
PID 1496 wrote to memory of 4192	1496	Dpjflb32.exe	86
PID 1496 wrote to memory of 4192	1496	Dpjflb32.exe	86
PID 1496 wrote to memory of 4192	1496	Dpjflb32.exe	86
PID 4192 wrote to memory of 4584	4192	Dakbckbe.exe	87
PID 4192 wrote to memory of 4584	4192	Dakbckbe.exe	87
PID 4192 wrote to memory of 4584	4192	Dakbckbe.exe	87
PID 4584 wrote to memory of 2036	4584	Ehekqe32.exe	88
PID 4584 wrote to memory of 2036	4584	Ehekqe32.exe	88
PID 4584 wrote to memory of 2036	4584	Ehekqe32.exe	88
PID 2036 wrote to memory of 760	2036	Eoocmoao.exe	89
PID 2036 wrote to memory of 760	2036	Eoocmoao.exe	89
PID 2036 wrote to memory of 760	2036	Eoocmoao.exe	89
PID 760 wrote to memory of 3600	760	Efikji32.exe	90
PID 760 wrote to memory of 3600	760	Efikji32.exe	90
PID 760 wrote to memory of 3600	760	Efikji32.exe	90
PID 3600 wrote to memory of 644	3600	Eoapbo32.exe	92
PID 3600 wrote to memory of 644	3600	Eoapbo32.exe	92
PID 3600 wrote to memory of 644	3600	Eoapbo32.exe	92
PID 644 wrote to memory of 1716	644	Ejgdpg32.exe	93
PID 644 wrote to memory of 1716	644	Ejgdpg32.exe	93
PID 644 wrote to memory of 1716	644	Ejgdpg32.exe	93
PID 1716 wrote to memory of 4048	1716	Eleplc32.exe	94
PID 1716 wrote to memory of 4048	1716	Eleplc32.exe	94
PID 1716 wrote to memory of 4048	1716	Eleplc32.exe	94
PID 4048 wrote to memory of 4536	4048	Ebbidj32.exe	95
PID 4048 wrote to memory of 4536	4048	Ebbidj32.exe	95
PID 4048 wrote to memory of 4536	4048	Ebbidj32.exe	95
PID 4536 wrote to memory of 4080	4536	Ehlaaddj.exe	97
PID 4536 wrote to memory of 4080	4536	Ehlaaddj.exe	97
PID 4536 wrote to memory of 4080	4536	Ehlaaddj.exe	97
PID 4080 wrote to memory of 4588	4080	Eofinnkf.exe	98
PID 4080 wrote to memory of 4588	4080	Eofinnkf.exe	98
PID 4080 wrote to memory of 4588	4080	Eofinnkf.exe	98
PID 4588 wrote to memory of 4068	4588	Ejlmkgkl.exe	100
PID 4588 wrote to memory of 4068	4588	Ejlmkgkl.exe	100
PID 4588 wrote to memory of 4068	4588	Ejlmkgkl.exe	100
PID 4068 wrote to memory of 4516	4068	Ffbnph32.exe	101
PID 4068 wrote to memory of 4516	4068	Ffbnph32.exe	101
PID 4068 wrote to memory of 4516	4068	Ffbnph32.exe	101
PID 4516 wrote to memory of 3136	4516	Fjnjqfij.exe	102
PID 4516 wrote to memory of 3136	4516	Fjnjqfij.exe	102
PID 4516 wrote to memory of 3136	4516	Fjnjqfij.exe	102
PID 3136 wrote to memory of 2896	3136	Fokbim32.exe	103
PID 3136 wrote to memory of 2896	3136	Fokbim32.exe	103
PID 3136 wrote to memory of 2896	3136	Fokbim32.exe	103
PID 2896 wrote to memory of 1972	2896	Fjqgff32.exe	104
PID 2896 wrote to memory of 1972	2896	Fjqgff32.exe	104
PID 2896 wrote to memory of 1972	2896	Fjqgff32.exe	104
PID 1972 wrote to memory of 4868	1972	Fmocba32.exe	105

C:\Users\Admin\AppData\Local\Temp\4f44bdac2c0e948362d6d0cc3505afa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f44bdac2c0e948362d6d0cc3505afa0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\Dphifcoi.exe
  C:\Windows\system32\Dphifcoi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Dcfebonm.exe
    C:\Windows\system32\Dcfebonm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\Dfdbojmq.exe
      C:\Windows\system32\Dfdbojmq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        36⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        39⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        43⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        45⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        57⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        58⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        59⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        65⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        66⤵
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3664
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        69⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        71⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        72⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2704
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3472
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        77⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        78⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        79⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        80⤵
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        81⤵
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        82⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        84⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        86⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1900
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        88⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3392
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        90⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3148
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4720
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        93⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        94⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        98⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        99⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        101⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        104⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        106⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        107⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        108⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        115⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        116⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        123⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        125⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        126⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        128⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        129⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        130⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        133⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        138⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        140⤵
        
        PID:612
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        142⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        144⤵
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        145⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 400
        146⤵
        Program crash
        
        PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 4876
1⤵
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
80KB

MD5
e15cbb10dc803557dc3dbe70a98121b9

SHA1
4e80af53bb5cd61fe90d1cc18e978ccd5f479f87

SHA256
3d47f76851d614aea42a3d1f727f743c851eaab3bdab8df9395398ec6b38cce2

SHA512
67184fcf0665276ebb1b6657a3afa7f738a101a55758357cc636dadc2bb5b4cd37d43610a36c93e01b8f49ba621e738cd24be9232655677ae4d6318a36b34f47

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
80KB

MD5
b2747f77655c9fd4733e8a1de10837dd

SHA1
19052a8914aa38cfd247e4649f09d41e08e51cbf

SHA256
f5bd8f6e79ee350767d10d25d263c92dcd5c9731ae189bd53a6db04008090fb5

SHA512
d12b2c7244fb670995c27dea182cf5b21ba3ba63815cc3aa3d5c47dc37741e4423ed4143d568665a6c8ac2665da4e3a87ffa94537207dcd24409fc1b11cff760

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
80KB

MD5
4bfbad21de1aa19b8fbfb06300371868

SHA1
51fcf7961c4e208c4b644748bd4b509a3fc34c0d

SHA256
1580139bbbfa4fe249838a56bdd1dc0b05234087485f9ac6f1b1bec69486000d

SHA512
ba6465a7a41b0103d65780cdb35952d404d11629b204df344542324befbc3863bbf396094b631b336864b13a995a151c383eb217afaaf9117682cafdfc55ad39

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
80KB

MD5
037c6fb197ee862f90b416e534ae8e7d

SHA1
d7933b5169f4cc662a87ba8ceaf9baca63bf6723

SHA256
078bf0344c85b6b2358bc5626781f344132db5be502ec78dbbfd19aad3a6d90a

SHA512
576079ddc9881b61051b3bcda48e62494df4280c54e19e9b6e07222879719b45a23f5d239b79d4477dcd0b07776ce5d18f965825433cd0db45002f70b4ed95cb

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
80KB

MD5
545b0213a7ee730222cd427592c3b915

SHA1
2f22a667ab5a53e3beb7e64ecad66a1dfbc19559

SHA256
4d916cabc8e9eff1f16f6a134d60681aad1872b0fb47e6b430d3f48fc5f48138

SHA512
32d55f638edfcb8327a6bdb632d4990fa8221b8da0f789cbde5fb9fc6f4e0a69e985629ee1dcc62d1ab0f118c2e1357246e3c899c39e14f200a86fbe9ffc181f

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
80KB

MD5
4b298f86d2b46544e63da458244ad226

SHA1
39e028dfbecf3127a95784818925c3696d5a885e

SHA256
d3e042fd0c8f350de223d9fbcd046e84fece45807844d186a34c719e27d27fdb

SHA512
449dcb26030cbad4ce39ea20d5474e71af5d44c24bc379327aa697cdfe73c22cb7f16bc15d2ea7fb338a9075a3bdd6177bbc50d99b65b84f1007b0515e43c419

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
80KB

MD5
dd1bd4771ff61518f6e1cc72dfb3a0c6

SHA1
b4890c256571fa4ab08f4b2bacaa5316deaacae5

SHA256
5885f6a399f33b45f30cf35e3d21ef57aa91b1e58eeb55ffd2d415b4640d96b3

SHA512
f36d6efa51ef01dc3508dd88206a6b4809dbf54f7076b6d6ca85336a24b6de58955af5ca7f91a37cb5cf69f66cec5caeaa6d210037c8bc87aa0e9738677b5b4a

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
80KB

MD5
e5f1c98623ead576705bb714285108ed

SHA1
6fbc5311a8950353ee0bc6212f1be29c379b21b9

SHA256
ed226d9ad4e203fee528979cc40b9199894e448096774494bc6decc431237d7b

SHA512
57227ef03e9f0dd1134d475b1f0cd88d9a8b396e65ef0846d720bf023077095b8e0b708661ea31195304e7fdc4e6335a10a265bc8600b3e970aec0593fd6a96f

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
80KB

MD5
d4b2fbc774276b9938ad83f453489688

SHA1
33bf7202ab822fa484d9b9885fcdcbf8ba0f59c1

SHA256
fb886d24bfa24ec4ad96ce864eff294e5c0b029a454e4a0dcb62de0e491111be

SHA512
7e85a3f3913a59471ff0f4f1fe49bff579239ab0f5f1cb3052b7c5c112872999f14fae323d517847983429c679cb5585f553cbeeb163fccbc39622d786643aa8

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
80KB

MD5
069f8888db4c807a4ad995d8cbb7a9c1

SHA1
91795bad2dd260f5b808168c5157fd5de5c46a4f

SHA256
c35d1e39ab8e3ffe30b6d25bc10dd8d7af5652ddb28636d5573e8eb9727f3258

SHA512
9a61ce38d19785a2d0cc5ccb2e242613ddb1c48bf9a4f46fd593fdc2eb051be9902b27f5198e65f18413f40e1dca054b96c92b6fc1f604fad7f6e0f07f935147

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
80KB

MD5
5039901ddafa78ca5d310e9cca8a7491

SHA1
e5ee3bb8f2e04b5431b85585b1eb34207434ffa1

SHA256
4fcc7f8468c3eb357c0fe56a7ae06c91cc4ff55458c2e457723414cc69ac433d

SHA512
e1f8b5d1ea940e9fe8c7e9a7703fe02fcdda05d7238abe06587992551a441ebde21b1e5b0e480177857bafa91ecd082b35797c0a9a79f41f6e15bbfcc1ce34d3

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
80KB

MD5
9f44183dc2f9bdf707f4e8e84fbd55c7

SHA1
58685c17635fc6097e4bc8b3dc2e7e96d3c9fed4

SHA256
3a771f166850070582278c33c4b4e19201da9260fb3b44d9d4f825f47a19f178

SHA512
7387d76f795597e9b303480a062810b8aeab7304e97e2bdfd0b532b9de37adb9d471ec25cb7d16e7edc27126584cf20eaf011b45b7fc3a0026662c5b3ca61a2a

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
80KB

MD5
159ae83e6aac8ee900e59835f23158fa

SHA1
6a8ecd8c3e5750f26aca19c529dfa6b018848cc2

SHA256
3526428ff2644c7f7db028023a03a8321111b4b2e8618dd5ecd2d0b6afa2f9a9

SHA512
eea506f108b0d4357045c38231f5fb4d88638b158eb8952695d5066c307fcfc301c36d9683f4ef5d1d174685343df9a889ec20f361de94dabf5d7a4e3d4caf62

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
80KB

MD5
8523398164537565efc834021dd06899

SHA1
e912ca65f867209db23189bee2f19825153a2b52

SHA256
cc3f6abf56c0ecb4a0b47f58479b3febe11baa6bbb9d3f352f44adbd03ff5dc1

SHA512
a9cc70a7de03711471481855e20513acb56a32a8c71e4b2cd5add3ef9e5b3092e9e0ba4b536fd978e38085aeb2e1001236c6ca7fc401afc1dee1d8c5932358ff

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
80KB

MD5
0285dd9aadecb78447cd3f8fdd8637d5

SHA1
3ee53ad0cf9ae829a86e401596d52da7ae0af928

SHA256
085bfb69bdc1283c2be69a9566ec00fff0f292d05e29dfd70440d0cca0924638

SHA512
23af7b656ad49873463d1df5de7dec353c78daa76fa1bec7a061daaec99736e5b244d1b50041517e1c77add03dbfa76fc2fe1dff0ab57bf682ba4cd5ef28f95c

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
80KB

MD5
5df24f7ff5b70e225b3ed19b700d6139

SHA1
cc1a918081c0c49d097db46936bbc74f8d1b7f70

SHA256
1411892f0aeac017534db9c79ecc38c5de9cbd188158e8610367fdb56e8f618c

SHA512
b1a6070c9ae032aba5eab2ff322decbd168442453bc6fae521d36d3b1d9e5a8027569e02aa36cebc8f9914357ba54c36ef709838542bb42017dbb9e01a143b45

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
80KB

MD5
55209c022398c02457c38166469d130e

SHA1
81aa43cde03587254023fa0fe06d14e4b0df20cd

SHA256
983d4ee8739f851c9c53e5fc107269ac39948f085db1751e991fa26b74d838c7

SHA512
6dd199e7330f7dac0b4a0d2d96ce12b81d2625e5742a9949e898443d2435f9be9ca3e9c2b6a9eaa5b4655d762eaab15fae70fb6f35fe9c840c1480758dc187a0

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
80KB

MD5
f02a00d89d85f57f265337c4f2f18709

SHA1
845a49c79ea9408316b32e3b90e431d53682b3b4

SHA256
62ba5152ddfe4beb07f284f2373e3aabb74c997455f9807249a5a9029c53e641

SHA512
ed23218aac07e87e5414b2433581264e992000ece50f12928eb5213c50316590b2a70d90da9e0340b863895d4462d366629a9f5cf945e4e6b6ca725682e5e694

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
80KB

MD5
2ba6c4a5e314bcad868e0a06ed7ef5e0

SHA1
6547ad127c209d576930184a6a2361ccf66dc5e0

SHA256
121d09c296464930952e9e0f25d106f31d96ba3063aa14c2db0b8c6cb1a276c3

SHA512
d4ae19d9173d01cc9276fac19f524fb7cb0ff1c1bfd354a0b184ae8ecba3d267baa60aabb1091a2698be8cec2f32eb8b970853f7c826d1d776a6d8269422b575

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
80KB

MD5
d9b9a1370637c76afef3ccdad3578225

SHA1
096d582ab8f53f4c5f04b73700ba674b926e51f7

SHA256
0d203c8bc3bdfb6241f96d69a53420533897d11de5cffd703eede3308064c105

SHA512
4561e8babca626cabd7b6f0c84bea1665a29d6157a145b276a8f44464ee49a1203ccb0f8c728f837b10a49208509ce8ba85ed51d5e47c3cc0c4b6e04d96533f4

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
80KB

MD5
cd22a4a388295835230348ac3c7da107

SHA1
c88706c59f33016a789ea5c4e4e7bea1a3cc8e12

SHA256
906128584b5aaa09b3853628df2a64cde3aff3cf56ce9ee2b7a0bb13014b9a1b

SHA512
345ffe8abc266f01ca09da19d104e48244bc5d8dbc5427089aa5b89043c904e32a819e5dc72549994df03bb12639c93668127384d9327e200ac5e1880be1a744

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
80KB

MD5
cd608719016e3f4b7b4564f7c8e1987e

SHA1
33887bedca96da1b95aa7f9f3b77cdb27a577025

SHA256
c63c275709a6f14e9d9c0fe5b16ddd29589959f13c57cca8a5e5de462b3aaec5

SHA512
01d5917558ec4a5d4e6c5b7e053634c80976cb73da33b69a4bc564919edc80b62b070cdf529dd489a22963e00d5eebad942f52d31149f76cb6622a44789127c7

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
80KB

MD5
07ec448945bfa2253790b60d062d90eb

SHA1
9cfaec856325e772b5c0d33922b15f375cfa59f2

SHA256
2419c1766e2eaae77d7596346b0bd34b4ef6f4937f5f80ae100bbc93f168441b

SHA512
40beada0f47658d643fdf02a8b00f90eb36069ddce093d21f5add9991ff433f4c665cc71e3dae827db111e70b1364bd5338e0c8e271bf230c4fac0f31185f6f3

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
80KB

MD5
c700bcd3f7ded7a401568ba70fa103f3

SHA1
616d9faca7423def3ccbc52e7099379199905df9

SHA256
6290519205016f14062efa2bd619f292d747c6559a792c1c0d8e59b880047a66

SHA512
0665cd2f1dfc4d064f2fed1b4aea95e9a1c4acee0810afce39546bbe5410e8c9b10a6c2bb3453514f58afa451c0ca5f11cbb52567bcb05333971568dd29b7972

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
80KB

MD5
8c7803315836b941d74dd569d536745a

SHA1
9d7c9b92b28a02ce021324098696e78ed16e2df6

SHA256
eb348bd1566561b18e88088674018d1ea5b093ec2dcf579d6af7edb98883e7fd

SHA512
c9bf2d98ee3fb7ee9c4123c827820f8bc510d6584b30fc895ab41ca83c833f919d99f072eea58510cab15294f9a4e9c9bf9c2b807a9d0f54bf5bf778118f2360

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
80KB

MD5
d6efdf19d5c5b5373e25e92a363a539e

SHA1
db78e77c3081d645addcdfe89536b5b97ec3ee85

SHA256
fc6bc6658d50c6202ef14d15c28a45c38f03ee9f16fd29c1d7b0b9eadce88154

SHA512
352566ca75ce933a9a1ed9cf041245e492a796e18ef352ab449694ae0ad331ffec549289b1c8bb2fd7d335db46d8105999cf4d484b9dbbe14fca910b090c0140

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
80KB

MD5
42515eea10dc72817908972c8ba91dde

SHA1
af26f0646278e972aae19351f3575bd9e37fb5b0

SHA256
051b6e0682e705ba054e8780f110270ef4228b67ec18e8d7174dc733ece7d683

SHA512
5d922ddc764c7f5f18292999a650aaf693e20c375dcdc63f85f09762b0edac1183b124e49e748ea8624951ae3ed4ee7700725843a7ef8ea984334f0774238da9

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
80KB

MD5
a13194e02ce9e0905835a507ff94053c

SHA1
a3e3ec5acdc135a9917897dac710fcb2ea8a3810

SHA256
50492c1aaec65f906927441a2659f95f8ccd698efcdd5d4a2f145930c5a65af3

SHA512
8981c75913c808f630214d7cc461e504152d39ace4a9ae09b2fe85fd9895f0112c30e4af4bc15f82a95c22c3d08290dab64edc87eb49e9b1e74e8f44c9545c9d

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
80KB

MD5
500e2d1744122bf32baa6b708af399d9

SHA1
0c8af0e22b84a18358139e967283eb9d80640641

SHA256
49304e92405eb88b5740e54a00f1e5d460455e1b89d546d610858d70773c4b44

SHA512
7a5899a566a6c68851f7f7806106068d99caa0c0f102d99803e6357dcfdf0450924fbb8929e412f4c2af3297df41fb679cffd7c0bdb4af8cc5b205ef3aac06b2

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
80KB

MD5
b49facb3a83be023d160d19b66b424f7

SHA1
a3d2044db8d19659512b767d71c20202661bbcb8

SHA256
c73dd28aa9e375e56d5a0776f1ad63264dc795221c2422f7b2b95e9ca7540929

SHA512
c6edf185ff966f8c128ed99b0d2bf5c8922d1069bf5f4d52b32e90d7a3003874d54100e4dbdd8988999abee00ec5b93b51b4a58a37a2677ebbdeceddb62639b8

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
80KB

MD5
08c14776e359734e98eb231101934e6f

SHA1
a4ccbd313cc3afd866c4f74df20491dcc9a185a2

SHA256
87079f19f2e37e278977c4ac46f78af2ad10fe3cd5940bf93bb8a695755f6df8

SHA512
ea66d3eb3ea244d35c2029afeb8cd467c1032e0572cc60812d7a86d1da75770950f17af57d402e1f758b1f8eabcb48a7c777e510a911e577e3b0939dc5673009

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
80KB

MD5
6e5cd99ab51dfc0eeab480515ce09fe1

SHA1
8b4d487622c159535f46cb3cdf7f80159b82f0f1

SHA256
531cc76380f74994709a1195c8462e3a4cbcfc549682dfdf4f7bd1d43f1a53c0

SHA512
12732cba245b74a6915d0f3fb22a968fc3649e82afe80eef1afcbf75bc9ca17812ae14ed3254ccfa3d1856028de61700da19231622bb8aaaa01a7146e96a8ede

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
80KB

MD5
f4f4b57324bf8b49e4fdc1dffa35eb3e

SHA1
c313527a2c5a5c82948ae157524e6b9ecf05c2f0

SHA256
247622b3922c4b355b49e2c143d19e2088dadc1503fa44b28f69095fb70a13fd

SHA512
9c9145f7d4fbb4bd2f2c98f53b015a76f2520fb28b9c50378e676cfc8bdca1dc9ad056a0ae90ebc8806edb370bc1353596903bee0d32a23cc9a4390a595d905d

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
80KB

MD5
2447a9db59d83ff8142701ab4cf79ece

SHA1
7566558c5f7e7e987e017e93fdc1c48710582959

SHA256
c750476ff831c88a6b059a703d4d2dd0bd39fc5e96d3116cf3d6243a6656fd90

SHA512
dd3888953770e5699459962679460aeab5865e8bb3ba57134250011386cb99d8f8b3173c2277ec094fb7e073963b967f959d9a11dd7eac7a605eb13e2b0681f7

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
80KB

MD5
5190c6b0c99b1d2b66104f6b7bd6f909

SHA1
d74650e6a9c2d3620fdd1fc1644b95e63e062fc4

SHA256
532db402c653aeb628302145d60bfa210a3e4588817d595065d7d4b6f073c40b

SHA512
e3a661846bb61a13eb986f14d11e8fde29b66a35633ce50730c351e4362554600065f45c22e65ab92ef6614eed60b34c1e7342cb87821dd230faeeaea483be77

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
80KB

MD5
0f1b88ff3b72d1fc6ddb3ba52f0e2d5b

SHA1
29044efa8fb0e4b246bb6dcf422d7464ecd09fae

SHA256
712acd353b1f850090c0bc0fb8889aec95e09089090073ed896c208ffa6f8085

SHA512
16868bc740fe9f35d568cd00b7162effc18fb3efe44073c3927ed36f4b55811e72bb66f915414696d0ba5b16ca267f2ad81655801831ae5a743cd2e5205cd2bf

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
80KB

MD5
e03778126b9ee73fcc267f90495cdf35

SHA1
10380f285a156ea5a35a2b9c52694d0b12462ea2

SHA256
3f996afd0e5f0472a5b6ddd04e900bc9b576816deccee489b25946bcc8a3d75a

SHA512
3984ae9b3e7472375fc72c4a3faec23607a01c4e67e4960816a1ba5f81ba84430b771c0bc6c32a6df64323b54cd18453c61968eff382052f7f5cd759bba6759f

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
80KB

MD5
67b440146ba99a9493fb2fdda3953722

SHA1
6a95c864b5e5763c779d802bb3655f0551432c33

SHA256
01ab78185dd0b361be4eed3a3017a2f794a8a04b2cd7d8b9e906bfb301db572d

SHA512
a65576f06cad6cf0e3a36bd85309cffc2c00010776aa593826b46ae13f79bc1676897c3abae5cdbab081f62a2041e8cc8ec24a6f1a08af9f951599650e5b45ac

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
80KB

MD5
6f3280034799aea5826224b9a058d4ad

SHA1
74cb446e43447bea6df4b158330a3556f2215f73

SHA256
bd9ac2570c5700c3dd607aa2d0a0574dcb49cc510bfed1616db74edc92622233

SHA512
8be9694cf7aa562d8490d233bdd11ae9d96e72705145a3a1c3adad662a8fab7dc1ca7bf9a34a61d740cae05f48c71dc36152ad7ebd8b2107e109ab880c604063

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
80KB

MD5
c50e445a20605611e8accd7f6323c9dc

SHA1
2d78c314acaa6b5681882a693ad26a4305d82fbd

SHA256
c94b50338c66f3fd0a223dcfe476002b51099b32399c0e738632ede090acb375

SHA512
4c07f1d61aedeaee21b05ee25fedb929ea6fa7e781c085e1eb7eba8d9e51d171d261f0158032745afc0cf97de3d24f3f40e136ba1714c41444decfbe05b3889d

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
80KB

MD5
c5ae31ad8c0858eb073d92be6dd9d285

SHA1
2e6d3d890422db4b80ddf55c9e813b4ebc4c40a9

SHA256
c16d99e4ae6c0fec7d021630b0a6aeaf58586a30d33f5109513c6fe2dfacb15f

SHA512
53ecff0de0d38c7a549d3ac1b32da3150d6be7df72d3c97faf61eedec41248f6a4636035eda83115bc0c9e1b347690134c01c2d6b76acafd2fe763cbcffed6ad

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
80KB

MD5
c3ed92c4d2fe15e65a8e4f178de2632a

SHA1
6ec8c613b529b59db5c077f94d93ce29a80a7b4f

SHA256
aa3eb5b148e9175c0aa23fd600bab8b7488f7c7e44e2e3d30168f27b21fc8a00

SHA512
ccd028b199d1bf3e19f2ad3acd07af5daebad7a894d11b5acccf3b620a176fd2f5a166a060c3f39374f17141da0a7f449221333ce6824f0a5ac7c161884905b1

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
78119abc22b786be99d71cf033cf0805

SHA1
3ce30c24abe5843d3a19ce914acf4009e17a104e

SHA256
669f15a3fb2a8011ecfca1cdcda5f051ee03741d901cdf9ed5a054d64d56d4a7

SHA512
76ab045c91dcbb5d7ecf7434a2edac089fd69f14f764ff14990e2f7836f9c68c8853afbf24055cd51578a57b0a95f2be8771e1fc8dc21ada6c2f230cdcdd44fd

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
80KB

MD5
314b39226fc258f9465fd4f5db2c3d2f

SHA1
60a327f4f4f05d1b3a3726ecd342e7b9b143bf6e

SHA256
0904b2f98f8cb66f51c57e838146c64d018caf1d78665efb525f3cfad66b7675

SHA512
354891e80609900cd1cae35c3664d04b8c38fe00bac7ad7aeed5ce6be3d2d1b7e259cff51f796f1f40316938a0c4d531138891c7e516c3e81586c0297acbf720

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
80KB

MD5
b51d9958e469928691f8eaf1a420cf0f

SHA1
6e2dde1fd27cebc6fdb2002e761c6031a501f47e

SHA256
3a2ad6d9117e6f1889bb46f9699d784c0a035209d353253e3eae2fbfc7169bb5

SHA512
c0a3eec666633607181c296125a7d1d0a86e7a68c074a02cd0c81d75b818b7868d8d13a517884aa1f54599ca77f7825b56c773b17b8274723d594fa4b04985ba

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
80KB

MD5
7eb0300a09c2a5c5d7c1ca04fa1734c0

SHA1
2c2dd0577e90e20ba267466e2d18808e25b0bb18

SHA256
c2fa8e92454487fdebad2e56aad2345bcb1b9382a45a2097dd6ab199a9be57e1

SHA512
21cfca1407466bcb3b8232aa0b02b2c3fb2697af0fecc09c83067a5dbba4e6fde46e14422cfe824c49cb8c9120ad6cf0f184ea131471f7d3d7e29d5e65533e32

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
80KB

MD5
0c076ac86e27923480d33e38af27e252

SHA1
e62387ce82d583be2ef2b67cde7ae5b679f41fcf

SHA256
3f886949c4c27cb9523c0616873f7e52811bdcafad5286400f897eda67def193

SHA512
dd31483b1afdbab148e0af696521466a2919af36e5face1340a2cd001834ad90ae0069804900084c9aa0dd89bde2f62b5c3086b47742b6c4c4c181819c61e0ae

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
80KB

MD5
6d7a79fb19a227f30ebb4ccb99137b96

SHA1
e6aa89ca50a252af4759f02f983c86bea81d8450

SHA256
9300bf9c4ef6ca4d1f2edcffd521b3d5ca527e4276bca69979c904597f7990fe

SHA512
7032c203a5e2ddc9d3d7d2321ba9231cb83577cae7e6e8c1babcd23e8c0fc07348287992ef04d8650694fadda4723ffe7ec3a76c01c279b32f9474a2dfe1555d

Download Submit
memory/376-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/440-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/440-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/448-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/548-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/548-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/548-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/884-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/972-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/972-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1076-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1076-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1272-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1272-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2528-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2732-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2732-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2896-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3116-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3160-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3160-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3416-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3416-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4192-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4364-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4364-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads