02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11

Analysis

max time kernel
136s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11_NeikiAnalytics.exe
Size

71KB
MD5

235da5dffa0cbc2bf7803bf1c6abc5e0
SHA1

ae99a83e9ec94ac1986f32023a5cee66c78b0b47
SHA256

02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11
SHA512

4b5eb9bf399f24f31f273cd02b9b6d45ba704abc5034a34a8395a0a51269b91d558da6788c4ae99b5382a909bf3f6c59b7808f3d4f9a751f60acf6ecb2c1e8de
SSDEEP

1536:DTKNJEJCK5V+aBfNaNAMjegM/Hm5zccO2TQyWvSrkRQnDbEyRCRRRoR4Rk:fKXmr+aBf4egkH0zE2H4e/Ey032ya

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe

Executes dropped EXE 64 IoCs

pid	Process
1196	Ehjdldfl.exe
2852	Eqalmafo.exe
2192	Ecphimfb.exe
4900	Ebbidj32.exe
884	Ehlaaddj.exe
216	Eqciba32.exe
752	Ebeejijj.exe
1436	Efpajh32.exe
3768	Emjjgbjp.exe
3120	Eoifcnid.exe
5048	Ffbnph32.exe
1688	Fhajlc32.exe
3888	Fmmfmbhn.exe
4272	Fokbim32.exe
3756	Fbioei32.exe
2140	Fjqgff32.exe
4600	Fmocba32.exe
2308	Fomonm32.exe
1556	Fbllkh32.exe
760	Fifdgblo.exe
920	Fqmlhpla.exe
1972	Fckhdk32.exe
540	Ffjdqg32.exe
372	Fjepaecb.exe
4696	Fmclmabe.exe
3424	Fobiilai.exe
3476	Fbqefhpm.exe
2856	Fijmbb32.exe
3024	Fqaeco32.exe
1344	Gcpapkgp.exe
3968	Gfnnlffc.exe
3296	Gimjhafg.exe
4392	Gmhfhp32.exe
2400	Gogbdl32.exe
740	Gjlfbd32.exe
1040	Gqfooodg.exe
3976	Gfcgge32.exe
3260	Giacca32.exe
4528	Gpklpkio.exe
4920	Gbjhlfhb.exe
5108	Gjapmdid.exe
4488	Gmoliohh.exe
832	Gpnhekgl.exe
1888	Gbldaffp.exe
3736	Gjclbc32.exe
4048	Gmaioo32.exe
4976	Gameonno.exe
916	Hboagf32.exe
1540	Hfjmgdlf.exe
912	Hjfihc32.exe
2368	Hmdedo32.exe
4652	Hapaemll.exe
2664	Hpbaqj32.exe
3936	Hbanme32.exe
3892	Hfljmdjc.exe
2312	Hjhfnccl.exe
1676	Hmfbjnbp.exe
3388	Hcqjfh32.exe
4700	Hbckbepg.exe
2780	Hjjbcbqj.exe
1516	Hmioonpn.exe
4416	Hadkpm32.exe
5004	Hbeghene.exe
4704	Hfachc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fbioei32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Bheenp32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Idofhfmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6776	6648	WerFault.exe	258

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ffbnph32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1196	1220	02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11_NeikiAnalytics.exe	82
PID 1220 wrote to memory of 1196	1220	02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11_NeikiAnalytics.exe	82
PID 1220 wrote to memory of 1196	1220	02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11_NeikiAnalytics.exe	82
PID 1196 wrote to memory of 2852	1196	Ehjdldfl.exe	83
PID 1196 wrote to memory of 2852	1196	Ehjdldfl.exe	83
PID 1196 wrote to memory of 2852	1196	Ehjdldfl.exe	83
PID 2852 wrote to memory of 2192	2852	Eqalmafo.exe	84
PID 2852 wrote to memory of 2192	2852	Eqalmafo.exe	84
PID 2852 wrote to memory of 2192	2852	Eqalmafo.exe	84
PID 2192 wrote to memory of 4900	2192	Ecphimfb.exe	85
PID 2192 wrote to memory of 4900	2192	Ecphimfb.exe	85
PID 2192 wrote to memory of 4900	2192	Ecphimfb.exe	85
PID 4900 wrote to memory of 884	4900	Ebbidj32.exe	86
PID 4900 wrote to memory of 884	4900	Ebbidj32.exe	86
PID 4900 wrote to memory of 884	4900	Ebbidj32.exe	86
PID 884 wrote to memory of 216	884	Ehlaaddj.exe	87
PID 884 wrote to memory of 216	884	Ehlaaddj.exe	87
PID 884 wrote to memory of 216	884	Ehlaaddj.exe	87
PID 216 wrote to memory of 752	216	Eqciba32.exe	88
PID 216 wrote to memory of 752	216	Eqciba32.exe	88
PID 216 wrote to memory of 752	216	Eqciba32.exe	88
PID 752 wrote to memory of 1436	752	Ebeejijj.exe	89
PID 752 wrote to memory of 1436	752	Ebeejijj.exe	89
PID 752 wrote to memory of 1436	752	Ebeejijj.exe	89
PID 1436 wrote to memory of 3768	1436	Efpajh32.exe	90
PID 1436 wrote to memory of 3768	1436	Efpajh32.exe	90
PID 1436 wrote to memory of 3768	1436	Efpajh32.exe	90
PID 3768 wrote to memory of 3120	3768	Emjjgbjp.exe	91
PID 3768 wrote to memory of 3120	3768	Emjjgbjp.exe	91
PID 3768 wrote to memory of 3120	3768	Emjjgbjp.exe	91
PID 3120 wrote to memory of 5048	3120	Eoifcnid.exe	92
PID 3120 wrote to memory of 5048	3120	Eoifcnid.exe	92
PID 3120 wrote to memory of 5048	3120	Eoifcnid.exe	92
PID 5048 wrote to memory of 1688	5048	Ffbnph32.exe	93
PID 5048 wrote to memory of 1688	5048	Ffbnph32.exe	93
PID 5048 wrote to memory of 1688	5048	Ffbnph32.exe	93
PID 1688 wrote to memory of 3888	1688	Fhajlc32.exe	94
PID 1688 wrote to memory of 3888	1688	Fhajlc32.exe	94
PID 1688 wrote to memory of 3888	1688	Fhajlc32.exe	94
PID 3888 wrote to memory of 4272	3888	Fmmfmbhn.exe	95
PID 3888 wrote to memory of 4272	3888	Fmmfmbhn.exe	95
PID 3888 wrote to memory of 4272	3888	Fmmfmbhn.exe	95
PID 4272 wrote to memory of 3756	4272	Fokbim32.exe	96
PID 4272 wrote to memory of 3756	4272	Fokbim32.exe	96
PID 4272 wrote to memory of 3756	4272	Fokbim32.exe	96
PID 3756 wrote to memory of 2140	3756	Fbioei32.exe	97
PID 3756 wrote to memory of 2140	3756	Fbioei32.exe	97
PID 3756 wrote to memory of 2140	3756	Fbioei32.exe	97
PID 2140 wrote to memory of 4600	2140	Fjqgff32.exe	98
PID 2140 wrote to memory of 4600	2140	Fjqgff32.exe	98
PID 2140 wrote to memory of 4600	2140	Fjqgff32.exe	98
PID 4600 wrote to memory of 2308	4600	Fmocba32.exe	99
PID 4600 wrote to memory of 2308	4600	Fmocba32.exe	99
PID 4600 wrote to memory of 2308	4600	Fmocba32.exe	99
PID 2308 wrote to memory of 1556	2308	Fomonm32.exe	100
PID 2308 wrote to memory of 1556	2308	Fomonm32.exe	100
PID 2308 wrote to memory of 1556	2308	Fomonm32.exe	100
PID 1556 wrote to memory of 760	1556	Fbllkh32.exe	101
PID 1556 wrote to memory of 760	1556	Fbllkh32.exe	101
PID 1556 wrote to memory of 760	1556	Fbllkh32.exe	101
PID 760 wrote to memory of 920	760	Fifdgblo.exe	102
PID 760 wrote to memory of 920	760	Fifdgblo.exe	102
PID 760 wrote to memory of 920	760	Fifdgblo.exe	102
PID 920 wrote to memory of 1972	920	Fqmlhpla.exe	104

C:\Users\Admin\AppData\Local\Temp\02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02bbb05f5dc61dc84bd08a59aaa9af0e8f59e6bb8b402238b068a2fd23a0bc11_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\Ehjdldfl.exe
  C:\Windows\system32\Ehjdldfl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\Eqalmafo.exe
    C:\Windows\system32\Eqalmafo.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\Ecphimfb.exe
      C:\Windows\system32\Ecphimfb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        29⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        31⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        32⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        38⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        39⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        40⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        41⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        45⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        46⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        49⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        51⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        52⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        56⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        62⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        63⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        68⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        69⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1504
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        72⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        73⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1500
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:588
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        77⤵
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        79⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        80⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        81⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        83⤵
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        89⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        90⤵
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        91⤵
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        92⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        95⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        96⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        97⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        98⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        99⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        101⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        104⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        105⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        106⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        108⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        109⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        112⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        119⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        120⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        124⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        125⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        128⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        129⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        130⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        132⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        133⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        134⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        140⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        142⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        143⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        144⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        146⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        147⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        150⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        151⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        152⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        153⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        154⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        155⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        159⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        162⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        163⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        168⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        170⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 420
        171⤵
        Program crash
        
        PID:6776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6648 -ip 6648
1⤵
PID:6740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
71KB

MD5
a5e6bb0b3d1b23be85ff8d04caede65a

SHA1
8822ec34905f74bd7cdfe97538222ce3ba518b6a

SHA256
6a13799bd37f4237e84648e2ca3e3a48981dd7d8020808e1512cfb11d0d64bd6

SHA512
3b3e247114ddf64c290127a60ef7c194ef8754c79c773f92abf638d8b25265c16a917ed1841a23ce8c4b02166ad2c790961b715bc8ad08e3195b9c0e5e90fcb1

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
71KB

MD5
54bdbcf0f775fd4b0b028fe262d8a9a7

SHA1
0fb4479aae76bf89c1246ad04763cf0c4fc704b2

SHA256
2f706613c392f686e220bf15a7f843e3c6b1834fb64186329bba50c0b2e72ed4

SHA512
45c922612528e13838a2aaba78422258dfa9bcd76ba310d37f373c8d82b1ae9883f7caa22dec9e59a130cf716e738e9a082a076cc76fb1aa772088ff13abcba3

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
71KB

MD5
068dd561bd53163f2cc844c94546c5b2

SHA1
64cd72d4f58c23671d554cbdf96fbd09ba6fdc91

SHA256
9cf29a527b636040ff7f427b106189604c9914b5055ba553411132b468114aa1

SHA512
23a84bd83c56185da550a23e3a58dc653a52a8672bb92ae8fd3d734628d2392b7e260be5727f4345e4db67ab158d4247091b2988808734dcc23810c0e495af88

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
71KB

MD5
b974a17421fbe5e74665d4af2222830b

SHA1
468b5d1368f18615695724cbf95e89893a2c5822

SHA256
1d80af457daab43c74d073f921e8f6a03a608a8d848d4655b780b0ffa7817183

SHA512
f3c8ed70e67b57b52151da9adb14b5cbc7c7b95831dac493077e1f3d9871dc89deaa0e67d6058b297b1378c48973aea0bda275c5c0a40562abbc58d5d7444efd

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
71KB

MD5
0c2a7be09777beeb47579ac0da049ee9

SHA1
e526caf4d92f6f89759487e9c67ccbb0df856393

SHA256
dbd568eb4afd5b9195a512bb40771f8ee5389898951aae82d5e8c489ca0ab05c

SHA512
9b1dc22d96e9b98b16245f1e38707e6c1d9f2bea4d45083e3fd0eabfa24852d808cb3b63b400f0cad8f0f3217c8da57a011010c5dd2b552caf90a6ec8c47d287

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
71KB

MD5
9cde47fb14c8fba29c440e2fa7632af4

SHA1
b3247de9ae5f6dac7fe8385152712469a3fc6632

SHA256
d2dd478052507a4557a9203dd1eeefd60521d9dfd39037bd8813a3514012527a

SHA512
d75bc08fe25fbacd8aeea0345cfccc0773c7ba4f074b7e9c189b595c4623bd88b3bb75cc96274703c43c2528fb82f4f3a2531c16d4cfef24e7843e31c876e635

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
71KB

MD5
5d31b46e29d277d9371b772f0c2865fd

SHA1
df2d0541d48e96e18c7c945a2a252b4ac08a338a

SHA256
48fe811373db387475e49e060a84ec3c3a843ceac93e2b83447d0298e324c694

SHA512
e6d86394d882cd33a251c943c8af460cbd0b9c475608ba236db7673fc1ca52701e06dd6f2858a7c5db726e09948dfd0c6b1a10f682391a898a3ac94be5fa40b2

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
71KB

MD5
ccaccb9232d38640b0ab32b7495bed22

SHA1
5b89d4cd8bf036aadc451120cc3eb38038aa9c1b

SHA256
c3fab58a5ea8ca023225372bce7a9737a260a8892aa3b0ed7aab4964ba448220

SHA512
f1f0b2fc082a5caf06e40d186b7b492094121bdf12cd24cebbd0b2d8327fc2e535344a1ed7f0306b2c9b71e9308fb0cde63fc524085881a67a1f91d6e1c0d9a9

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
71KB

MD5
c3edcc0958075f2197fa5054c2b21ffb

SHA1
81d29bfd12df0f9d90ed41bcb561d0835cc46623

SHA256
fff171da3d91264e3c150b83e6a39d5ff88b6141cb2a6c1a34bef7cd27e9e230

SHA512
5f75746610422d729b9364c1d8c0dd836de81b884416002e515347e40b6ab8afd30a6f9bf6221a7e73ededf337f681e2ea6fe341f05e607e8f8555e2178c644c

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
71KB

MD5
562bbc0e940a874ac29f8bc7a2853219

SHA1
c341740df6f33eb2f95781aaf057294a84e81e7b

SHA256
6377761b9ef13db09a3fa6ba86b2dfc12ae9fac656a1c99a7c91aa32e9ce28f5

SHA512
1c368ac5bdecae60fb83ac12599b4aae03959e2d5af7893a7f6ed83bf8b75f8c0d59a73967b54fde9dde1e619537cecbac88be3593bc18465dd8706a214a65b6

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
71KB

MD5
bbf9f3445784f02ec7be3c2e63579865

SHA1
7b4340888e571f98d99db5dad45d3627720d43cb

SHA256
7fb20dd018ecde46769eae3467923c891bddcd728a2ae9c0bfc5aa667259ec1a

SHA512
5e57fbad5d9351a8ba4a96fef0c114b701770f56c681e5fe88be66f3d85d851f757eb806a1304fe7e8e0389b01d595bf9d0a992cd116af5e8d106c70ca97b2ec

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
71KB

MD5
a5fa72dd1b0734b6af892252c43159ae

SHA1
b8762ca772568b53b5156b90c118e20d493351bf

SHA256
b202c5651707b1829943f093e4813642c4d2bef8b00140cda7cdc5eb8217edb8

SHA512
4b29935adeadfc00370f335ce06ef68bb6ae0db6ffb916f6baf325c1b41d33d58e87d039298c9dbc1e2362bf2fe48fbd73fbbb8059799504ed70e6de34440e9b

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
71KB

MD5
24a825912af79e069fede7b083c71bcd

SHA1
661136e5fc9c6452979a75fe7ee4fcf49b438e53

SHA256
04ed0c42666355e7da3e8225b191567671443b758a47b2730728d2e81289b127

SHA512
cbf91fd03150529bc8c886fc972daba3c701a64b24b786adeafe662099bd4d9460d400bcdc871314a0d7bf2a43f8d16d1d6a2f8ebd538b6912a8aa9b74dfebd0

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
71KB

MD5
9f029e1f0bd50648ee9ce47999b79018

SHA1
7236ad5ba2b3ec70ad32ef9bdad2266a39eb8234

SHA256
1d327c91ae63b8a062fb05b47e97bd53e4810328cc601956f71223c4e04b9e8b

SHA512
5a4e835b154c5546f123bbbdf5e3169ffe8a3584302b379ffa4d71400a9d8bf7ba17f97d07751419d7c7a2a7bf8355b8c2f016bb40b3c5fbbe54176505ac0f71

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
71KB

MD5
5e829d7ed32771a62c9a0470e0da46c8

SHA1
52b19116d28d00423815700109e037cf493aa3d0

SHA256
1973ae2dda0c6fa60079af588e1eaed96698d1f2244783587e631c1a2afdb005

SHA512
90196b550e2e74c3ebb0e6546cc043a2dee3281fa197680e482b24547ce2bf3457029eeabcbcffb79b43233802672cc7b82ff3ee4b461293f7a020cf4779b639

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
71KB

MD5
abb7d4f99bde4f74e0c7dc494e32e7f3

SHA1
d9ad602c88f0c669572874a68dfff4c80ff80d03

SHA256
c72b87737e563f25d0969a6f6df57fbabb0d9956f7b495d3280bebc006b8f7ca

SHA512
571c495624596c787d8771ef30386ec5ba6c042ef16890d1dd7e2c82c6619f0d6a705b4947538d61011f7cb278f31b5811f30301afcc99943d095adc848c187d

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
71KB

MD5
a03b440e6810edc3642830cd082888d3

SHA1
39d0a542522c77db47ae690095391e82bca6e71b

SHA256
7659b040c8004fe60884691f8d3ccd191461836dcecd63f386894298b777f2d6

SHA512
3faa79fceba35b2c4b6f23ddaea1d2589b12cf8bf22171b9e1806d76a5ac63ff322e6bcc821f34901aada443e615ae059b5319173668979324f6d3b28b90c56d

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
71KB

MD5
173b836e7be60975ed4b87316a11fd88

SHA1
ee44bed5d406af2a13016a99d48399744657b7b1

SHA256
9508e71c368302fac111a8c7402632abd0d5a8b95713f077eedfbdfa842899c8

SHA512
18046e7516bbd895af2103c6424936afb284a88a3ad5df2f428535c5303b978d7acd4d9240dabe0fb5a94011dd564cef128d35ee0538413eff1e2a4c5fcf233a

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
71KB

MD5
98a4aabdd1eedd5d16a92b7ded63056b

SHA1
72acdd1afcceee7ccc967a97877f341cbbc56cd8

SHA256
53279c6b1330f04dfd7a45ec60883baaa734f703fcc90ad5f3af74c166daec91

SHA512
e6be4d2b13351b8445513df687a54b42a1f632968c70908654d98c8e5f627049d58dcd7933cba5903d5750059b78998b35c094b265b77e34e0f464095f44cc2b

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
71KB

MD5
3f0e56dfa5af04cac72ae5070e9bcc34

SHA1
6531da4b99e0e0687fb379ac7138e35052044904

SHA256
470dfbe2b0ce36a30e984bd6f83808948357e67c3b46ea47048c828a07ce04b7

SHA512
b285553831f7cec79a28e0febf1affd862aadce9ac781930ddcedc62762477913c6580f2731aff1c87eeee438c69e8d5e164249c1191290ce80f603f61dcdc13

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
71KB

MD5
5f5500355c18c1e6ea858a566676ced5

SHA1
845550818e2f1193aab3b923d669c0b7c70e3795

SHA256
75052c2cfd4b41e28cab9c1d653ff531ad3683f3402e969d94611fb6cb6f9a0f

SHA512
aee2920f89a14926ca8148cbf7c37b06dc2668b7287b14bae740feb0fa2e9b409dfa3fdb2ad4be24dcfb442e973698d8753431ca6afd4a5d88f673f64d4fb1c3

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
71KB

MD5
090566565bbf79a441813dd6b4a36d0e

SHA1
10250c8ec5e0de3b1f6b20de8e897540aaba22e6

SHA256
377580a89525eb3bc497b51292688a203602b847c733baa68ecc30e215fbc78a

SHA512
4cefaf8b1e96c9bb616f5bce3e4bb2a8114a00fb1bef372767c4665c65aff519c71c93310e481edb5217cfc1ba7d89acc917905b111f4e04d1d1103193e122bd

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
71KB

MD5
0b9558d89f859d364c4f4f580e177347

SHA1
cb540efa096d761e36667718c32387df9285f873

SHA256
0d77a84e4bb22e87bd82a10e1910a7e58c720748612d4ff3c712922b347fa2c0

SHA512
8392ab2581987f0fddc97e3ee5caa3834c76fdb389c286eadfe935b64023ab3ca99a18100787b62f4ccb321c76f953e31393674efcd784fdc6a118288d52dc32

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
71KB

MD5
2f8768c429db5959d44f4a1ad305c6f6

SHA1
69eb16a3b6c3498d1e10674570e394e930d30035

SHA256
c8f9f2e4353e7a6f8db1873d5ea036bfabf9c8359f75e165c507d4e2f5748cc9

SHA512
7cf1687bb3e8cf74485f2b58433f4102e5704030d2902640d1415a82cd29518b440021b279707c846df63db029e1a6362c8a4675d5147c2f875887b840634cc8

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
71KB

MD5
3aeaf416c30d236e5351dcf9b42e5f62

SHA1
131e50b568a1c1a8a8713d24a14f04abb16e1454

SHA256
bdc83a7b18c5dda839c79f0ca7dc7978c44ee1bbdb7da4fa4c8fb77ecd69caac

SHA512
49dba2da51f81f79db23ec8e35d2ab3f6764fe8f5b3865178a4ccbb9c0f9e6379e18d54cdfebcb9642257e13ecd81a9e7aa650d5e0d98e94792469b5643cbecf

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
71KB

MD5
b08d6e833ffe206f14441a9bad7fc52e

SHA1
afd83f05a070c3e50a2c4caa80c9110a8df54b79

SHA256
4b3492a91e2953569a5bf55d1cda21c513ce9bec954be6b94ff68c1eddd3413c

SHA512
7084814f4e161d75ded7d0b3a4973fcc7474c5c7d858fd710156bdb6eb25cfe804d5fbacf764323ee0f0f0b3d0c1c44a63038d5e0e0f49c9cac688f264db6b24

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
71KB

MD5
eb01fa0dd3745f8c0d7953eac77c0063

SHA1
6cfcc1978e7133701209aa326946f3da47b9712f

SHA256
34e57c094fd9522bf298b7d9cf723145da2a4f884ef5ae8411b2017fc6667b34

SHA512
74bf533a5373862d09e8031a017057aa871c8c3ae744f4301fc3247f2b4adb06e068a2505b5703645265ba9b20c6e1c06d4550f8caa9a8e483cd3db8d6a633a9

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
71KB

MD5
d9bb7b95f704300e1a9e641cc34f2754

SHA1
49b67638c9e0fa28b047f55b5f639487fb016cb5

SHA256
9c95fb02b64d97581624f058ee9cf2332b57c70ed0f0964c27be515fc9d4d025

SHA512
52ab6441af0c73a82f89d24b2927c3e31cdd5fde5a7bd4f146b7baa1ec91e69ddfd5b3f6c23456cda0f00dd40b6beab1ecd4619a1dbefae2d0d0a624a3edf9f3

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
71KB

MD5
f1ccebbf7bbaa129cdff91a69a2b06a9

SHA1
62b879315f5c71512f759aa244d87510fc749113

SHA256
a43aac0f6bc13e1189a31f3028fe1a64525b7a3600065936395af31782b8863b

SHA512
bffc7d80ba88bdbfb70182c836886258c686b0e7b9d3a55937b3fe25b5a040ea962aec603f3267513db579758f114972d3da4cb633bd2f182fe421edac6302f2

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
71KB

MD5
85ce6fea3f20fd343610dc64fa42073c

SHA1
fa9ffa78f26b332c90715357d2a54fd5cf183751

SHA256
996774a2a0584e7652dccf00fe30109378363275ae4c31a174ba8dece796e674

SHA512
ac2a68ad5c0192d9fe03e7dbf2e7a460d1591dd312784c5846709be4ddb2d960deaae986f7676480a0e2f420987b7f8d2a33a69289d6983ea9974df4d8482c2f

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
71KB

MD5
a4d730f5a08d9da852b6aa424880b788

SHA1
8a30b0f792c0ff3d5c8986c86e38adfcd48329bc

SHA256
4b7b4a98feef53104a420a2cd90ebf5ad20af0a72b638ebc385efe7bbe8f2f6b

SHA512
bd36b34db6fcb930a42eb95b718bd676a1f64b6fb692c9c8a64970e4a30bb5141dbcec877fe9dc78a41059a0b5787bb6c2e9c3d06374631f499befbbe31bd1b6

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
71KB

MD5
1f1053168baf73759b6b4f2a5dcb1575

SHA1
7ffeeae71b78b497d98cad2d46de73d5cc0d9544

SHA256
cc642a109991dff59b13c449615db830e0ea2e310f3ee9655d46df4e37bf1e97

SHA512
91886249135add8007ceaec9dc461f7183cb77d0c185a4122b55f59032025688d91c36c6dd3898be1dd993d5922a86db435cc7fd64d80f2538daa76c524db850

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
71KB

MD5
93a84e3880a800816256358ae5b534bb

SHA1
f4173a202ebb4946acea1f1ae1c14151f62bb790

SHA256
dccb9afe5cf3b5d998c21492d5f40f87cc4053ae45719efc736e170654d44bfb

SHA512
42a6c4cfe5e35f876c23b61dafa797ae38665d055e4aa832bd67fe0bb09372c3e72794bf2ea6ac0f0d4473bd1d1a8ea94c4e747b17aad401dc4a0e2bb2309912

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
71KB

MD5
17ba9368fc6d1791bc32fedc10cf8e54

SHA1
a5bcdb17976cf92b9a747cad6b4434b5d09f67eb

SHA256
2a6a06531b3daa7a5842e6a3faca6dc1ff23faee4c20b50ee81d3439b3af9d74

SHA512
d1658e1aaaa3eaff38b25d44a6129d2f54ee499c4f3c47946d5806f1549c61dbabaab04d10473dc23dd99b2d6421491ce73d121842acb35df4a6c261f3e4bb93

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
71KB

MD5
2687652105e501c2051a66d381fc5d58

SHA1
9bb99d323cafbfb658821f78c93a8805cbd750e8

SHA256
2012b0f001db433be4d4182b7074bf7c90dbf25b83dff9fcafa1257b994f0ace

SHA512
54c78c4fdf58e2745a91633cb532cc6388a6744bbe4c27fc4ea3e8f0528f7d13e86bbbf69027ee23d509398d841159711c9c2dcda58ac5c4ac9fa48a74a79c3a

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
71KB

MD5
a22f9ca429e138aaa7e55a7fdd58425c

SHA1
8080e706fd40eca912f9de2119fd0004b9d7c0e7

SHA256
1797313f66bcb6d3a024b069b11537cc2fec4edfaf4d0ee007ad1da049a4c91b

SHA512
0e94056ebdd0aa9a8fc761bd74230442bcc055389f825e3f15c7c09bfe116086ba59a4c206bda69ddb5551c266edaca84f7385584b35bb68aa591e4111f9f4c1

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
71KB

MD5
755164aa123408ab2365dbf5b7256ba5

SHA1
fbfa7d6ce5e3cc38463ec2b3bde32fb757495b9d

SHA256
2eff56ff2cb9b23ccd09356015ca4d4ef97c3bf6f61c1c51708a1bef868acb17

SHA512
aa7b0fcc75aaf344f22dc3fc5af70bd2c1eb48c014a4084a5919d0d7659e4a6696e8ab626dbea4218c8a5e79c61d8448b6570a1036862434c7df5a84bd6a6fce

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
71KB

MD5
7c6abea767db30cf5e053ba48118afff

SHA1
37e2e9851efe683fe89ee704228c0c16f79244f9

SHA256
26c76979fcc0e3fd56b1425339fc50b99c90eff78c8c7f7f81174614370fee1a

SHA512
b601d939e79feac346a529837f481ad22e552f54c8779285af5cbc289228d67e8a291c0f425f993da1cb1eb1150dbff96f85756e83c2e083be57d5ac8ba4e20d

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
71KB

MD5
9110d5db53541dec4d2904d5a7d352a3

SHA1
1817c6f23d07289a129feaff4af1381eb9705364

SHA256
3fd69c007979021371aa18d0b6a469b89f7e9e7ece048972d3e2a5e42f7b3416

SHA512
6035282f6c020da0ee4f42756abc1e6407150276b4a9f577f6b6fa8776d1a5cabd64f8c1c2a05c35124a5c1de6c0947c53a9f1b67939ee2862272b5a93c6babf

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
71KB

MD5
7533bb1c9e07510930a020b3168d8c8f

SHA1
98521938450cdcd13f08f1c7c9929a2efda4d67e

SHA256
b07103704ac13b37b27d2360b07f1879eb661d3c7d26396eb0252db81345f142

SHA512
a84bbfc7bec9de6445092ab83415daa2f9fcb1632925833ff1c806c7167a528702e70b9cdae9c7dda0b6af09244fd36a3876c4b0f8d10a38bae5502d0a1f86f2

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
71KB

MD5
bce83adc37adbb2becb93b88e3648321

SHA1
1074a9461b9e22e20f1e7f22980741173549be9f

SHA256
8dfcf072749fc8b24c46ae06cbcd4b33e8bc28006c012478736515a3880f7d16

SHA512
6467526211b7ad38e56f7db5091d2804609d2914cc356a4f7df19c487f64ffe88cffaf5fcd2465c1446a4133147cdab402a9c3311b2edf64ceb046b7ed0aa1e7

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
71KB

MD5
85abf30277a285b606b3df7596b40317

SHA1
7b9228e22bd882f742d84dd10e01a2745414b4d3

SHA256
33f3e9c6e44078a0611eb3812327f808cced753be0983ead302f8699fc5ae08b

SHA512
ba3f13f0d0992db323205c20e36648a26b62dec75f37aee95087e6548d32b11c6b0f11afa7ca2f67b914b9b5825a24ea5d593b2393258ed36eaba6de289a015b

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
71KB

MD5
69f480e46a08edb0e1655285341d614d

SHA1
5653dff92b19b48b0be29457d8672e4c0e99bba2

SHA256
43e7d33be21d882f5e46cdabbf0130b785dc17434e75bd6d610033b747f690f0

SHA512
60d7b300ea9c8c3905c66ab3dd54b9599269ad3f2886f2b07fe018ffed4d3d9a755b8cb67e8aa81aacad673cfe6bb915e67f48a720529bf3954944b1b66fbb59

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
71KB

MD5
44651bf845dafe7030d097c4be283e42

SHA1
d9f0ca367c54e24b1348fad4e8c1795d45b2aedd

SHA256
5787a6f222d6b8cec1fc0eb774ec8317c1bc9c25221cb4023bc4ee4bf964398f

SHA512
3758336da9819a3dbebdb8fadaf8649ed9d71636b0a1df7fa0ed80a4b66d19fc00ffe2182155ad0a919ddd084f0b1c32eb47345be21f1993be28a3c91d70af7a

Download Submit
C:\Windows\SysWOW64\Nkbkiioa.dll

Filesize
7KB

MD5
97e5cce6994b71a8874b9f1a9ed1ab29

SHA1
16988e92f06c4eaffbcf3eaeabb3cd0d8a9db7d6

SHA256
e92e830482dbfb12e8d453bb2a70d3d5e6eb4930b4e0b0e731b21422135af4ed

SHA512
e1ed1170bd12e2f90b2b9d5d7d6e69953a674477a39a9466be34eb19dce3961cffe2eee52888b320844d48986d16c3642106f306e54f6e9476b73180e9c7b132

Download Submit
memory/216-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/216-583-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/372-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/540-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-557-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/588-514-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/620-564-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-590-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/760-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/832-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/912-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/916-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/920-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1040-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1048-556-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1196-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-550-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-548-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1344-244-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1364-591-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1436-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1436-597-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1440-584-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1500-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1504-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1540-362-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1556-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1676-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1688-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1888-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2004-472-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2116-520-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2140-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-563-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-148-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2312-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-526-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2400-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2648-575-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2664-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2856-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2872-598-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3120-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3260-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3280-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3296-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3388-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3424-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3476-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3572-581-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3736-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3756-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-608-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-76-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3888-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-398-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3936-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3976-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3992-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4044-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4048-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4136-500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4228-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4272-114-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4392-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4416-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4464-543-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-319-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4528-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4556-508-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4600-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4696-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4700-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4704-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4900-570-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4900-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4920-309-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5004-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-532-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5048-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-490-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5108-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads