04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f

Analysis

max time kernel
111s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f_NeikiAnalytics.exe
Size

136KB
MD5

b475fa2724472aa2a9eec16c28195d80
SHA1

ede3001514ff5244913aa1ea36d29a0e480422bd
SHA256

04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f
SHA512

b0b799cbb2e00c9ef865f1ff88b8809f5b4e1cea7f4659ec06d001388d1b5f530c52b9efa0fa941bfbfbef7affebc9904f50e44b2fa913b67e0d9f89b442e910
SSDEEP

3072:ZnmWhe+37sohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:lmu37sohxd2Quohdbd0zscj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe

Executes dropped EXE 64 IoCs

pid	Process
6068	Ejbkehcg.exe
6012	Epmcab32.exe
1064	Eckonn32.exe
2208	Ehhgfdho.exe
2280	Ecmlcmhe.exe
4760	Ebploj32.exe
5372	Eleplc32.exe
1188	Ecphimfb.exe
4808	Ejjqeg32.exe
876	Eqciba32.exe
5992	Ebeejijj.exe
2072	Ehonfc32.exe
3460	Eoifcnid.exe
1456	Fjnjqfij.exe
4104	Fqhbmqqg.exe
4180	Fbioei32.exe
3120	Ficgacna.exe
3132	Fbllkh32.exe
5908	Fjcclf32.exe
5596	Fmapha32.exe
1944	Fopldmcl.exe
5956	Ffjdqg32.exe
4804	Fqohnp32.exe
5412	Fcnejk32.exe
1116	Fjhmgeao.exe
1536	Gcpapkgp.exe
2040	Gfnnlffc.exe
4908	Gmhfhp32.exe
2028	Gogbdl32.exe
2100	Gjlfbd32.exe
4556	Gqfooodg.exe
3584	Gbgkfg32.exe
2732	Gjocgdkg.exe
5324	Gmmocpjk.exe
3612	Gqikdn32.exe
4872	Gcggpj32.exe
4184	Gfedle32.exe
2948	Gpnhekgl.exe
4156	Gfhqbe32.exe
2916	Hclakimb.exe
2744	Hjfihc32.exe
1732	Hapaemll.exe
5468	Hfljmdjc.exe
1808	Hmfbjnbp.exe
2272	Hcqjfh32.exe
2148	Hjjbcbqj.exe
5636	Himcoo32.exe
3292	Hccglh32.exe
1384	Hfachc32.exe
3588	Hmklen32.exe
1288	Hpihai32.exe
4836	Hfcpncdk.exe
4508	Hibljoco.exe
3492	Icgqggce.exe
1928	Ijaida32.exe
1904	Iakaql32.exe
4948	Ibmmhdhm.exe
3868	Iiffen32.exe
5388	Iannfk32.exe
5932	Icljbg32.exe
920	Ijfboafl.exe
5364	Iapjlk32.exe
5424	Ipckgh32.exe
5760	Ibagcc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Eckonn32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fbllkh32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6828	6688	WerFault.exe	242

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 6068	428	04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f_NeikiAnalytics.exe	82
PID 428 wrote to memory of 6068	428	04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f_NeikiAnalytics.exe	82
PID 428 wrote to memory of 6068	428	04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f_NeikiAnalytics.exe	82
PID 6068 wrote to memory of 6012	6068	Ejbkehcg.exe	83
PID 6068 wrote to memory of 6012	6068	Ejbkehcg.exe	83
PID 6068 wrote to memory of 6012	6068	Ejbkehcg.exe	83
PID 6012 wrote to memory of 1064	6012	Epmcab32.exe	84
PID 6012 wrote to memory of 1064	6012	Epmcab32.exe	84
PID 6012 wrote to memory of 1064	6012	Epmcab32.exe	84
PID 1064 wrote to memory of 2208	1064	Eckonn32.exe	85
PID 1064 wrote to memory of 2208	1064	Eckonn32.exe	85
PID 1064 wrote to memory of 2208	1064	Eckonn32.exe	85
PID 2208 wrote to memory of 2280	2208	Ehhgfdho.exe	86
PID 2208 wrote to memory of 2280	2208	Ehhgfdho.exe	86
PID 2208 wrote to memory of 2280	2208	Ehhgfdho.exe	86
PID 2280 wrote to memory of 4760	2280	Ecmlcmhe.exe	87
PID 2280 wrote to memory of 4760	2280	Ecmlcmhe.exe	87
PID 2280 wrote to memory of 4760	2280	Ecmlcmhe.exe	87
PID 4760 wrote to memory of 5372	4760	Ebploj32.exe	88
PID 4760 wrote to memory of 5372	4760	Ebploj32.exe	88
PID 4760 wrote to memory of 5372	4760	Ebploj32.exe	88
PID 5372 wrote to memory of 1188	5372	Eleplc32.exe	89
PID 5372 wrote to memory of 1188	5372	Eleplc32.exe	89
PID 5372 wrote to memory of 1188	5372	Eleplc32.exe	89
PID 1188 wrote to memory of 4808	1188	Ecphimfb.exe	90
PID 1188 wrote to memory of 4808	1188	Ecphimfb.exe	90
PID 1188 wrote to memory of 4808	1188	Ecphimfb.exe	90
PID 4808 wrote to memory of 876	4808	Ejjqeg32.exe	91
PID 4808 wrote to memory of 876	4808	Ejjqeg32.exe	91
PID 4808 wrote to memory of 876	4808	Ejjqeg32.exe	91
PID 876 wrote to memory of 5992	876	Eqciba32.exe	92
PID 876 wrote to memory of 5992	876	Eqciba32.exe	92
PID 876 wrote to memory of 5992	876	Eqciba32.exe	92
PID 5992 wrote to memory of 2072	5992	Ebeejijj.exe	93
PID 5992 wrote to memory of 2072	5992	Ebeejijj.exe	93
PID 5992 wrote to memory of 2072	5992	Ebeejijj.exe	93
PID 2072 wrote to memory of 3460	2072	Ehonfc32.exe	94
PID 2072 wrote to memory of 3460	2072	Ehonfc32.exe	94
PID 2072 wrote to memory of 3460	2072	Ehonfc32.exe	94
PID 3460 wrote to memory of 1456	3460	Eoifcnid.exe	96
PID 3460 wrote to memory of 1456	3460	Eoifcnid.exe	96
PID 3460 wrote to memory of 1456	3460	Eoifcnid.exe	96
PID 1456 wrote to memory of 4104	1456	Fjnjqfij.exe	97
PID 1456 wrote to memory of 4104	1456	Fjnjqfij.exe	97
PID 1456 wrote to memory of 4104	1456	Fjnjqfij.exe	97
PID 4104 wrote to memory of 4180	4104	Fqhbmqqg.exe	98
PID 4104 wrote to memory of 4180	4104	Fqhbmqqg.exe	98
PID 4104 wrote to memory of 4180	4104	Fqhbmqqg.exe	98
PID 4180 wrote to memory of 3120	4180	Fbioei32.exe	99
PID 4180 wrote to memory of 3120	4180	Fbioei32.exe	99
PID 4180 wrote to memory of 3120	4180	Fbioei32.exe	99
PID 3120 wrote to memory of 3132	3120	Ficgacna.exe	101
PID 3120 wrote to memory of 3132	3120	Ficgacna.exe	101
PID 3120 wrote to memory of 3132	3120	Ficgacna.exe	101
PID 3132 wrote to memory of 5908	3132	Fbllkh32.exe	102
PID 3132 wrote to memory of 5908	3132	Fbllkh32.exe	102
PID 3132 wrote to memory of 5908	3132	Fbllkh32.exe	102
PID 5908 wrote to memory of 5596	5908	Fjcclf32.exe	103
PID 5908 wrote to memory of 5596	5908	Fjcclf32.exe	103
PID 5908 wrote to memory of 5596	5908	Fjcclf32.exe	103
PID 5596 wrote to memory of 1944	5596	Fmapha32.exe	104
PID 5596 wrote to memory of 1944	5596	Fmapha32.exe	104
PID 5596 wrote to memory of 1944	5596	Fmapha32.exe	104
PID 1944 wrote to memory of 5956	1944	Fopldmcl.exe	105

C:\Users\Admin\AppData\Local\Temp\04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04624ba11ac0d0b0e40e267184a93011ce085dab1a22b043abc56f4fc467733f_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\SysWOW64\Ejbkehcg.exe
  C:\Windows\system32\Ejbkehcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:6068
- - C:\Windows\SysWOW64\Epmcab32.exe
    C:\Windows\system32\Epmcab32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:6012
  - - C:\Windows\SysWOW64\Eckonn32.exe
      C:\Windows\system32\Eckonn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5372
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5992
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5908
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5596
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        24⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5412
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        27⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        28⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        30⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        32⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        44⤵
        Executes dropped EXE
        
        PID:5468
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        48⤵
        Executes dropped EXE
        
        PID:5636
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        49⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        55⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        56⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        57⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        59⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        61⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3996
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        69⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        71⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        72⤵
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1420
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4932
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2076
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        79⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        80⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3708
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        84⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        85⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        86⤵
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        87⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        88⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        90⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        91⤵
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        92⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        93⤵
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4088
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        95⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        97⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        98⤵
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        99⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        100⤵
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        102⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        103⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        104⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        105⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        106⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        107⤵
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        108⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        110⤵
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        111⤵
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        113⤵
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        114⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        115⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        117⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        119⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        120⤵
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        121⤵
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        122⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3140
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        131⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        133⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        134⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        137⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2884
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        139⤵
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        140⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        141⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        142⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        145⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        147⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        152⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        153⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        155⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 400
        156⤵
        Program crash
        
        PID:6828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6688 -ip 6688
1⤵
PID:6784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
136KB

MD5
c8902b7437a358d012d2df8020a86b91

SHA1
f53004ec7bd1a1d7284cc06312b8228e390623e9

SHA256
1769e5fb67c48cd79e52d06debf6d2be691afe87a243832751d7595f13e6b2c6

SHA512
8bb26c88b80bf9a2acdeab4e30fd7d3a9eb455d657123e8b04e5906a0234612c6cd34584166a1a126f61d232ffd533d2be41c2e271733ab021fc6c8bafc35f4b

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
136KB

MD5
74a345def62d6324dda67dfd6e3089dc

SHA1
2e88c2d6508f32717c6475c32884d1ef73ff3a10

SHA256
34480b83838ef04a3439f6873916066a6f726795a41a1edcab4375e4fce76fff

SHA512
05ded77f374590bbf079746df07ce2a0a100407ed839c6c6d7d4bf4308aa094e17afe8d7d2b11a7c5001ce2c297dface4059155e599e2b78378c0a461c01b744

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
136KB

MD5
905b35447269840fe72b6e617ab186c0

SHA1
92683f6c7af7b63364d3626d41d3c45989fa333f

SHA256
e1959303e33140e63dbbc6052d86f619288a16799751ae168034d0ec34c81391

SHA512
e2a7d69618f95c8653ee57699d6843a331a990f6821edca84c64d5535626ba3c4bbf5c7969d831f7e94c4fbe8cc18290e4a2738080604a4bc5135a550204ad35

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
136KB

MD5
1931f0fd2a4ccf3015fb487f508aacea

SHA1
cbfeb660da26956fe79a9089a8dd39450e21e690

SHA256
09186e85461497460fbb5a80a7e36a12e8999e46e50e1d396b00f4343050b6de

SHA512
e3aaacdba011a95d43af2a4f3e4215f411766b8e8a5cefae2d3a90b7ceaaf5a2c50287e4e1f1d551b778afe30d1d926c5e443d0a627512c3545ce30ed560e2f8

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
136KB

MD5
cf0c0684ae80776d757439f25bfb8099

SHA1
a07377f1757687db1d173a8563a8613a58b2349b

SHA256
c87bfc0da4f6e57d307960aca0de0d010be5eb781640338bf3ca8107b4d00659

SHA512
21fe30a93ee5ff8329a63e74425b2debeccc6affbc38d895e85d2add4161df85594b1f65cf369a479be4d056f76bb06ec8b8f12cfb63347852c55927c1f573da

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
136KB

MD5
1d52c4539ad8a19b83eee4ce2580bd5a

SHA1
416136b75b1ef5d801c81c30494fc952fd658cec

SHA256
791d943e66823725897ba375da694df252a6f6920af9923b126d767d1c61b8e9

SHA512
54c867a15f0c5c34ff625027246f80deb76b1b15a0f1131fb37689e4add9d8da6df05781d023e4fb406d729b02b4487a86bb952da11379d3c6b01dd45433349f

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
136KB

MD5
f8e51d4723304180865f6d07d0a5b43f

SHA1
0e4e7a47815b2b79f3358052fb6fe4c4fddc45fd

SHA256
c6befc04331459cbf0727eaaad0071f9220d6907a294d8e985a14a5be715b837

SHA512
41339f80e1e3991e02387a3121da3a692639733597b8d0027101fca456797540e88954f11cc26a0f15539cf8f820a9ac7b54d89b631fb7f645631df18348d8ae

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
136KB

MD5
5f5eab1cc3263be564fc77ed5b6af01d

SHA1
e8f534516ac725084994a14faf82da27c061408a

SHA256
0c9858152b629eea9b7b9de89c75be062fb1c8cdacaf48e245e9d9e2c6f9f931

SHA512
7256f8061795fc4551ed8b577705eb1e5aeaad4dcd1116f81715ef499fbd3d688b266b5e80790b10a0b3d5775b2d55818d72d502f01ee2aff2e9987075b596ce

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
136KB

MD5
006f5d4d4bc43cb263fa36b7b1dffacb

SHA1
fd3fc5e2c047fd6cc50ecc651f9a9f6fcc77f782

SHA256
b8a4df86cd545db1478f2968e78d523da2dbd89dd32d2198997224c70329d1ad

SHA512
c6094b949b13af7b86b656e473c6a6dc95fc8cb1da567272b4a5094eb02394f5d95fb5ef351c1d2916e13e5570dbddd5844615c66778e288bb6ee49a5e06075b

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
136KB

MD5
7b8c1e709a214e53fbf3c357ba8185a0

SHA1
4b60aab3f1b2c704b11bd755aff02799145f63b1

SHA256
bf1ca62e65fc2fc5effca28e057e7b32d1778203717f0d1a1160023bb2400789

SHA512
fa503b5b184a90bcb0793b7caac3412b511eddb5f3c63060f86f55a3d7bccfbbc0ff9c787de8b5db44fd1386d3b326d90e72b557134f4d6ba45dfcde612fb28e

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
136KB

MD5
69c93dcccde10d1750f36ec0040f7550

SHA1
45ba4b651e7dae579879e01140ba7813c266b40a

SHA256
3e3638e66b8c997b1f1f51e4346fa99576c9104759c7755be42a62fbfec9703d

SHA512
0a79d13f016b869aa46d3d1f95d3340aa3d7c48edd49086a3112f509d29f88d9f3244b452f9dbe69ae4d374bafd163a6abaac49afe38bb4ad552a94dee9b0096

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
136KB

MD5
731093c9df88dd2a019f9b816bca013e

SHA1
537c2f19dd01bd88193bcc7cc4e48c2200ae18e3

SHA256
5f44e450fad9822ff463361d7c9f96baabd19c5310734defa3cf715930b399f2

SHA512
1d65f69a1ef44f067d2c7a393efc28c27a308d4dafc84a76f547d3a757c6e43df43dc88455bc7fbff99d00d5408c3f01c3a2281e93b56b533ebab5e084c5cc58

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
136KB

MD5
f0b514a44fb9036fbd17f0c858df16ef

SHA1
1ca2a52f696f1f5d4f23e4c68a2d3d99c6acad27

SHA256
214701febdeab985eeaaf302c05e7ac79efdfa401a73eb1bbeed61a7d1fe9004

SHA512
eac0b389e388d626d6ac0e9ad929f831877ac3dd7ab84a33c3d4c1a89b669bcdae9b99dae8db1f8901d589544e31ad1d8198d4a4d67176a1ddfc503ec623a283

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
136KB

MD5
0a8f2602e7c2303f4ca3ad2d656e0284

SHA1
cbfccfbb6c1ceb2f73c9ab4384be2a89f95c6818

SHA256
2266b89b2c42d9d9f06b89099a375d565ad05eb8fec936a0a33d6bd03e8ee72a

SHA512
38ca4557811ca42ed344e9c1781ea2096fdd37a01d3759c680374a1c9bf033243c3761b3b356b3a6e74e671b246de12f5ceaf70929b31bfe768a38345bdfa2dd

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
136KB

MD5
b24941a405363f9e896933119970d3c9

SHA1
d970b48697423063fcb9373f60cd7f68d8e03209

SHA256
290410d156154441e85dbe15718ba5f282266a6b19a898fb7127eefdc62dfa49

SHA512
7b892919c68f921330694018fac4a5090bff9aebf5f6adff1d5fe72efc970a4f0029ab1b67617163b8551936d74132a42021abfe4be0aba7f75f3965d593637c

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
136KB

MD5
afe9afe5e8f57e8cc2d1b923f271bb05

SHA1
9249af0fc4de0869843cf62a5969297f680339ad

SHA256
8dfbd8387ea62798c01f1e0e75fdd4bbc45e4a4a1a6ed527925715eb2333c04d

SHA512
5c1aa4cf135ecbfe28cbddec9b884788de0474300fad96c66c92680c81147ced74cd9e5f8849ce481033dd3434acb65097c92df8d6e67a135a1764fff1a1579d

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
136KB

MD5
5f093920efe61928d757100fa4d1d67d

SHA1
9c575f0797fd6d75fc9ec6f1c2d77cb6dae97039

SHA256
3a939f9fae8326e70a3209686c54eb455e32315c28ffe1192cae46957f0e4643

SHA512
4a716766954cb4ba7616a514cc918a2e44366b3e014f185ff9117b0d41b3be1c306f3549d050c5baa8d33d9d8e678598e06a844782f44c186ac7d0d44d2394f2

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
136KB

MD5
776a73e151418b791fdadf617eb6c8b3

SHA1
7300ad8cc57ceef8d3c62b021192be41ce2e0e67

SHA256
0096e76e856dbc75c49bfe5f30cdf1aeb913fdf62ab4747ea976919210cc9bc0

SHA512
7bf641d75d9cc057c916b2e74e734474b895075c5c8c71b716392c79fbc0350168daab08993a5919c3c3b3707cee11adbdec6b2c5342afce1a8e03da844ef5ed

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
136KB

MD5
6c0a2ade229d58bb5fe6f01decc90ed1

SHA1
b26ab35d4cd51757fe255b9b9a3efbd7c95b6e83

SHA256
41d12e470e205dd67601e229b006575a181432211f6ed18c292728409e4639d6

SHA512
7e246e9fdbff679349b0461154faf5e4f878d3a8f5664b506cf666a81d3cec523cb5429bcdfc39eb9d8f7c9ea45d4577b94c4f4857ab38c70011e6e06a20b9cc

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
136KB

MD5
52d48bfd06ba50cb2ffc60bd577b0d29

SHA1
61c89945b82af397a1482e417baabb1f9a3e98dd

SHA256
2dd63c2da110d11dc036c3fcccac7e30a42e524963588669b5a7c901f5d5d547

SHA512
e7772decc532818ae649cc14baf0d03eb44cbe73b59805f59886a5fc32148db8e77bd547c02bb2010051dd61d87ba43034bbcf54ccb2a01368cb51a28891c12c

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
136KB

MD5
09f1ce9c30374ef3b5862db3ac3007e8

SHA1
1fac42aed4d3bc555ac09f66791d668eef77845b

SHA256
be26989dd609cb18fa23cc86bfe66d0f98b3163da5cca18725589b63082c34a7

SHA512
62aef86f383dacc7126189b6f655b7f79c14be02e3928ab7356275b625ea46555fad746688bdf5f451c73b385fd2d3d55f683392210d652e0b8e5f18505be9d4

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
136KB

MD5
7143902ee2f0b87128b73d3157fe36e8

SHA1
d39e66a099523caf14b20c35ddebfc854fef9a98

SHA256
0b4b7659ed842593b1c26b797e8ea4535bd0bfc02c7e638fab78f409284a4b33

SHA512
0942a9f6d051868e361f3c1131b595335c5fb7c8015e5781194d3187a86275a7e9a3e80595c41aa448721103b381004829823769e235c2a071d8b5a3455dbc61

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
136KB

MD5
f22b13f7642b34dc1c78d5354b7eefd6

SHA1
4bf61145c72dcb675bd5c6786507ee28aa70aac4

SHA256
a63f6754d45bb3d8114e15c63ff047226db9a5aef78347a4390507b3a153e5b1

SHA512
0d96334299544364a1afe36b918df68e4961c249fa910f39078c5b35b2abfc8f07ec60382f42fa9d97e9a414f23a0bdd21ea614f49c4b2c101a095c7106e40ee

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
136KB

MD5
c92c864fa34eb2743b1ee8719836b914

SHA1
1864cb084aed96b35bc74e37195ad823bbba15a1

SHA256
aa7a6d553b04db6346edc19c4dd33c5db37bc1761849ccaab52bac99ba20a0cd

SHA512
31645826ad0a9c50e27956b4b8eff00e13c590ebd99946a791558437f2db8f387685220a1308414ab10c745a27ea0e75dfc8de353699e72a8cff2faea8082a86

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
136KB

MD5
9b4b59c71981d9d431ef010f09ced0dd

SHA1
b2863a31c82871e63ed7f8364f158d1906272d75

SHA256
e0119b97b95f8fef14c01b29f919d647e3f28a1ad6f869ff77972568854db50a

SHA512
4c56e3ab30a07628235d51089edaf2b583fcc740e8ef9b05d71674e64be5b6c8ce9bc9c1f1eb378aa28efa6193a2cb30297248473beb9c49d45f7b118191468f

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
136KB

MD5
641d960034870a8b82a7c0ae455cfa03

SHA1
2af51d3da1a4c6cb9d47d37575eb5aaca259e5bf

SHA256
3e67bc8d34d10fb74189524654ba0e87b0d50b23fdb625e383f5333d8cb23903

SHA512
f7239b2fcae3d59b5d7de15ad3efc2d3510e0166ffcda869c3edfc75fdf5662b0c8587d65b0230635bc5f17857659254a435a34f408c5db7d8a234237828bf6f

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
136KB

MD5
2fcc115182d322666028a741dac6677a

SHA1
254b65f7f00406460e114f2615d01f3b9fbb574a

SHA256
2e17fb73d084800f96852e9d73537334556a72182f9b8f08c6862bc68e3eb1fb

SHA512
520e69823909345b38fe5005e9d3ff92a05ba9225216b6d313a66c8ab81b39802edfd25c02528e8dd22e6965e0bce342d1c071558625a13f451a4c2839c5962a

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
136KB

MD5
d0f304de1d8642673e862c36d65b4bae

SHA1
f0a92f77a9ccaf8bfd19e0580d83c24d700b2aef

SHA256
d4379cad3fe63a0ffbb16137d9ea70751a78f69a66ad27842489de06932345ff

SHA512
0fe1be99513452279e367b681cc93ecaed1f36c1192da2e99486641d235a797a7f6cf680ab748d4ebaf0382461a30470370a00d34e69cbf11593c082b1e5ca3a

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
136KB

MD5
7eb796a556fd4d4e8fddc1fcaa28d887

SHA1
937894df2da31bda4c73dd512f0fb2bd774de801

SHA256
7e31a1d224d65fe6abc11160c9e961c6db9573c88e92648c9800cf0eb64bf956

SHA512
89a0c3243728631d91ca162d79551a00cb1adef2ab1a813973d396b6663f4ae25723079d0341ea98a2741bbca418bc5925830fdf49f3508d3afe48da8b98e552

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
136KB

MD5
d627e370369285fdc4acede76eb0b1a3

SHA1
a4b49618e92b0c898fdbd27a5a60cd6555656ee7

SHA256
dfa0dedd77c69897ac689e06ae37a0cff728e0c596dad368a5fa710147a52a8f

SHA512
2b7686f8522e2e12b6460fe5f1084054b17aa258a4719c6de0314b1ceca0d26a606ca063b04b43f87975f5c5b917411564a2dca21911fefa99217118a93091d3

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
136KB

MD5
25c768907f8771989845a7697960fcba

SHA1
698e5c624a53c5a2d42b5afb66db7a5c631a7357

SHA256
7fe1f40d77716bf591d795c3e1e2f83175094ed22824b5d4965607da839658f6

SHA512
0ec77eaaeee2af7a35bfa20282c5981897e5849399108cb33c26a4217f0370f34314d1349f40cf650d1fe66a74795089e1470447169ea70f0ecaddc2fe126c0f

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
136KB

MD5
04444d56a1aa98b7030f2300ca0ca0aa

SHA1
9a697ee20f6a1c3a7c5166dc778560498917e873

SHA256
ce5b6b1169fb84a20c41d4fc3a1a7e3becb71b6b1c0389e2c7a96f5edc821022

SHA512
40aca695a413c9171f152049f21bf952691c352191e251e6ad8a591bd1c3143c2c4a90d8be3cbf9ce74fd36f84a2d2e983e8589ccf567be5eedf822ea4e56e28

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
136KB

MD5
5c392f985164193f36e7b4231bd2d118

SHA1
b85df74940be898efdc97207b13f6922bab30dd4

SHA256
a1855aa3ea1e6ca3c4f040a09d25d510b2869d33ec5c306041975711b3509032

SHA512
0dcaeee7ca9246d757d99d623ee4766c97bd6ff7cad88671cd8157e94d6008aeac3df18adedae0e4368a7cacfabff45988adefee1b2cb89f9c94cbfc3f4ef108

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
136KB

MD5
0dba4dc1faa47357329ffde8800467bb

SHA1
abc6c9653870274fbb2fd4f66717d1948ecd6aac

SHA256
792ca2195abcce74771df1830a39307fb6327481abfe029b4a2380b000dabc78

SHA512
3a4efbd974b184685fc0660d6dfd88f8c211d21d1538d7f8b7ae15c72d231ea7d863a5216a7e81be2ffa19591c62a56ca092baad8aa7ef56b6d59db978dcd547

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
136KB

MD5
6493b38bc38994cd222069f7de4f05c5

SHA1
df29da638570ac6bb74161b63d4719d05f088b90

SHA256
1c9b89400739266a96dab85ddb49a76a46a54b0cb51375fabef9cfa35bd3724c

SHA512
bfde223f371abd6f29defe09a6cc746f1db685bd81b204d4c75b51907b96ecafb815ce9c1e82a5435c96df748c3069d34514e31d48e0ee691a82c81fd284015e

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
136KB

MD5
2aeeb7337c1796df6e03d262e7112213

SHA1
0ff23b7c9cb713480c0b304bc80762005e941089

SHA256
432e9b60a15c3c74811733c647772305cce334798b04ad0e4879ecaac00c04d3

SHA512
528aa5bc8edf5e5b724802eaa1884594df0b97215fab96185775f0369c9d7fdfb357aabe4140e1d54bf81ad6bb56b00e05032cd52e048ee31db076577efa5a06

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
136KB

MD5
807087120fef9f5fd1e5b59d81e5b9ae

SHA1
1ca37b8b6a6798ea9d5ed40566f01e77f56cef35

SHA256
245e05051ff6eb89e8fa8b67f611427674c916bf8a9e9a93be6a930de4cff8c0

SHA512
0da0f0ee6ead9ec78a660f62192ef5630503f1bfd985b01f6d615d73e381019b16c445f5d1b2bcdbc4639727bf263dd541ca5d48a45bcefab54f939586c71116

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
136KB

MD5
bad5e3c0cd0e6bf5997869068a193607

SHA1
d4ac4ddbbfe8c64de670f835185d7af0880295af

SHA256
79b876dc7030e74bc976005616e8a192c90a18fb988caee097e9460d8dbe8c53

SHA512
4d98cef43b652cc3399c772427d44d6a4f407a3155a2897cab12f75c8c9afb2dc938d7c020371cd936a188e565c76b9b7ce48930a0d8eb8f3870229c0bfa2fb2

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
136KB

MD5
9bfc44ed2142eba93cdc232f486aaa7b

SHA1
6463c87eba751c23f7ae35537020bd1506fdf991

SHA256
b60edd415361feaac7a06e961c11fd737c4bd3e30ba2e0fb690b2bdf94f42834

SHA512
165c2ccc88e60b8251732f331b2b874ec22705e41b25baf93668cb43a5018668979b8a6c9e8d7a7d2381818c885f7c99f29d359d6f48a4e328e18ed8eb50b6bf

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
136KB

MD5
41d19c94471f580f53558446fd471331

SHA1
730725bba21fb0e7db618399ae633bb4694569b4

SHA256
a04b4ea39d6a270b1827df409eeccda28d879f72f419283d58964dc10f75e0f5

SHA512
8911d1ae5438649d04ef15a6c354b9652dad6d5fe0be9e84d91164eafaa9d2918b8b99fef099dffade755b5257dc921609a68cf2d29d26a843329e3881d2746a

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
136KB

MD5
d4369544822e4a026d47623ba25c0525

SHA1
2ac49e088fe87d6f6620bed5051d8e09167114ca

SHA256
651c7d3a7aa062fea107805691a7321518f992f748e3b3c1e63bfc544e89ee72

SHA512
92751b05e240bff1b24a375661083784987a7ebaa529171fa524abefc6974dba91e304179a5562911a6e7748d27a0513d1bf81b98a878d721cf438384a5947c8

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
136KB

MD5
31e5f6625bcfee5eed9e0d40647b5329

SHA1
2af4361d6e52aa88c10420265ef180da36dc8173

SHA256
e9bf29fba0e98c23bec62cd7aaee36b0daa3dda33edce92834847cc213c5896e

SHA512
cd3cee238d43e61bc15e669d138b1d5a80402d424c4de46596eaaebe60650a75606f1bcbf0586f69a51398667345c7cfbc37b9496d3fb13834a993a479a62869

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
136KB

MD5
65269477de69956034e8972204d37446

SHA1
2929c2a0da84d71714ef8398c7f281d574c8cef2

SHA256
65f3c1371f36306401bfc82a2c43df12ec74d8981d8ae13502b78a86b83c9a49

SHA512
8cb18e0db0afc07498e54a6f5e928ac26adc57cf000921af161b37b6772de92fddcfa80fbb92c2415aa52005108c47f07330c1542d00abd40e3d361021cd99fa

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
136KB

MD5
669cf2bbfba7ae1d8bef52866ee84589

SHA1
d0e2c24f901729709a6442700ed692deb5b9104b

SHA256
e4facd01408e468b48c8145d64aaa442c697aee7cf8831a4b34e392213bcf53a

SHA512
d07d11902351b4a8a2df6950ee17c3e129e4b3af3a5f10321c9ad5991eb495e22f2f6f221c85ad0e8ef4d2b2249452d7e886628debea8ff2fae72f808ddf7c62

Download Submit
memory/428-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/428-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-1084-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5388-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5412-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5424-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5468-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5596-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5636-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5700-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5760-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5932-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5956-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6012-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6012-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6068-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6068-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6384-1066-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6472-1063-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads