4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe
Size

64KB
MD5

036ada3e5f89c61aa4706fce85367fe0
SHA1

da97973b8eb921e5fcd4652745c40b9509f5c81e
SHA256

4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6
SHA512

60436ec6a8b4753e51cbf77f7681e7208b233bccbc04c3ad99fb7936e40482f3a1ee69b26d4d26c75e7f73c4e640d05a403b5e33b4569c8c126af901d98ed11d
SSDEEP

1536:1tXJRZth1cYpxMbE73+xEJcAFd7Z/Eh2LyAMCeW:DXJN3xMoE8Fd7ZnypW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe

Executes dropped EXE 64 IoCs

pid	Process
428	Eofinnkf.exe
452	Ebeejijj.exe
1140	Ejlmkgkl.exe
1168	Emjjgbjp.exe
4544	Eqfeha32.exe
3456	Ecdbdl32.exe
2028	Ffbnph32.exe
3960	Fjnjqfij.exe
5116	Fhajlc32.exe
4148	Fcgoilpj.exe
528	Ffekegon.exe
2056	Ficgacna.exe
2752	Fqkocpod.exe
4752	Fbllkh32.exe
432	Fjcclf32.exe
4560	Fmapha32.exe
2824	Fopldmcl.exe
2924	Fbnhphbp.exe
3868	Fjepaecb.exe
4836	Fmclmabe.exe
3724	Fobiilai.exe
2984	Fbqefhpm.exe
2892	Fijmbb32.exe
4868	Fqaeco32.exe
784	Gcpapkgp.exe
4548	Gimjhafg.exe
3160	Gqdbiofi.exe
500	Gogbdl32.exe
2104	Gbenqg32.exe
2052	Gjlfbd32.exe
964	Gmkbnp32.exe
968	Goiojk32.exe
4568	Gbgkfg32.exe
3124	Gjocgdkg.exe
3272	Gmmocpjk.exe
1412	Gpklpkio.exe
2964	Gcggpj32.exe
1084	Gjapmdid.exe
4452	Gmoliohh.exe
2068	Gqkhjn32.exe
1164	Gcidfi32.exe
5064	Gfhqbe32.exe
2968	Gjclbc32.exe
4340	Gmaioo32.exe
928	Gppekj32.exe
2592	Hclakimb.exe
1340	Hfjmgdlf.exe
2780	Hihicplj.exe
4352	Hapaemll.exe
2480	Hpbaqj32.exe
3548	Hfljmdjc.exe
1440	Hikfip32.exe
4436	Habnjm32.exe
4596	Hcqjfh32.exe
2724	Hfofbd32.exe
728	Himcoo32.exe
4940	Hadkpm32.exe
3252	Hpgkkioa.exe
4872	Hbeghene.exe
1852	Hippdo32.exe
3440	Haggelfd.exe
3676	Hcedaheh.exe
2800	Hjolnb32.exe
4780	Hibljoco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Eqfeha32.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ebeejijj.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Kmihaj32.dll	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7032	6880	WerFault.exe	262

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 428	1912	4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe	82
PID 1912 wrote to memory of 428	1912	4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe	82
PID 1912 wrote to memory of 428	1912	4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe	82
PID 428 wrote to memory of 452	428	Eofinnkf.exe	83
PID 428 wrote to memory of 452	428	Eofinnkf.exe	83
PID 428 wrote to memory of 452	428	Eofinnkf.exe	83
PID 452 wrote to memory of 1140	452	Ebeejijj.exe	84
PID 452 wrote to memory of 1140	452	Ebeejijj.exe	84
PID 452 wrote to memory of 1140	452	Ebeejijj.exe	84
PID 1140 wrote to memory of 1168	1140	Ejlmkgkl.exe	85
PID 1140 wrote to memory of 1168	1140	Ejlmkgkl.exe	85
PID 1140 wrote to memory of 1168	1140	Ejlmkgkl.exe	85
PID 1168 wrote to memory of 4544	1168	Emjjgbjp.exe	86
PID 1168 wrote to memory of 4544	1168	Emjjgbjp.exe	86
PID 1168 wrote to memory of 4544	1168	Emjjgbjp.exe	86
PID 4544 wrote to memory of 3456	4544	Eqfeha32.exe	87
PID 4544 wrote to memory of 3456	4544	Eqfeha32.exe	87
PID 4544 wrote to memory of 3456	4544	Eqfeha32.exe	87
PID 3456 wrote to memory of 2028	3456	Ecdbdl32.exe	88
PID 3456 wrote to memory of 2028	3456	Ecdbdl32.exe	88
PID 3456 wrote to memory of 2028	3456	Ecdbdl32.exe	88
PID 2028 wrote to memory of 3960	2028	Ffbnph32.exe	89
PID 2028 wrote to memory of 3960	2028	Ffbnph32.exe	89
PID 2028 wrote to memory of 3960	2028	Ffbnph32.exe	89
PID 3960 wrote to memory of 5116	3960	Fjnjqfij.exe	90
PID 3960 wrote to memory of 5116	3960	Fjnjqfij.exe	90
PID 3960 wrote to memory of 5116	3960	Fjnjqfij.exe	90
PID 5116 wrote to memory of 4148	5116	Fhajlc32.exe	91
PID 5116 wrote to memory of 4148	5116	Fhajlc32.exe	91
PID 5116 wrote to memory of 4148	5116	Fhajlc32.exe	91
PID 4148 wrote to memory of 528	4148	Fcgoilpj.exe	92
PID 4148 wrote to memory of 528	4148	Fcgoilpj.exe	92
PID 4148 wrote to memory of 528	4148	Fcgoilpj.exe	92
PID 528 wrote to memory of 2056	528	Ffekegon.exe	93
PID 528 wrote to memory of 2056	528	Ffekegon.exe	93
PID 528 wrote to memory of 2056	528	Ffekegon.exe	93
PID 2056 wrote to memory of 2752	2056	Ficgacna.exe	94
PID 2056 wrote to memory of 2752	2056	Ficgacna.exe	94
PID 2056 wrote to memory of 2752	2056	Ficgacna.exe	94
PID 2752 wrote to memory of 4752	2752	Fqkocpod.exe	95
PID 2752 wrote to memory of 4752	2752	Fqkocpod.exe	95
PID 2752 wrote to memory of 4752	2752	Fqkocpod.exe	95
PID 4752 wrote to memory of 432	4752	Fbllkh32.exe	96
PID 4752 wrote to memory of 432	4752	Fbllkh32.exe	96
PID 4752 wrote to memory of 432	4752	Fbllkh32.exe	96
PID 432 wrote to memory of 4560	432	Fjcclf32.exe	97
PID 432 wrote to memory of 4560	432	Fjcclf32.exe	97
PID 432 wrote to memory of 4560	432	Fjcclf32.exe	97
PID 4560 wrote to memory of 2824	4560	Fmapha32.exe	98
PID 4560 wrote to memory of 2824	4560	Fmapha32.exe	98
PID 4560 wrote to memory of 2824	4560	Fmapha32.exe	98
PID 2824 wrote to memory of 2924	2824	Fopldmcl.exe	100
PID 2824 wrote to memory of 2924	2824	Fopldmcl.exe	100
PID 2824 wrote to memory of 2924	2824	Fopldmcl.exe	100
PID 2924 wrote to memory of 3868	2924	Fbnhphbp.exe	101
PID 2924 wrote to memory of 3868	2924	Fbnhphbp.exe	101
PID 2924 wrote to memory of 3868	2924	Fbnhphbp.exe	101
PID 3868 wrote to memory of 4836	3868	Fjepaecb.exe	102
PID 3868 wrote to memory of 4836	3868	Fjepaecb.exe	102
PID 3868 wrote to memory of 4836	3868	Fjepaecb.exe	102
PID 4836 wrote to memory of 3724	4836	Fmclmabe.exe	103
PID 4836 wrote to memory of 3724	4836	Fmclmabe.exe	103
PID 4836 wrote to memory of 3724	4836	Fmclmabe.exe	103
PID 3724 wrote to memory of 2984	3724	Fobiilai.exe	104

C:\Users\Admin\AppData\Local\Temp\4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a619e3ce3183cedd4477de3f3a7c977a3ac142401577a19c7b99665f3a9dee6_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\Eofinnkf.exe
  C:\Windows\system32\Eofinnkf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\Ebeejijj.exe
    C:\Windows\system32\Ebeejijj.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\SysWOW64\Ejlmkgkl.exe
      C:\Windows\system32\Ejlmkgkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        25⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:500
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        38⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        42⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        43⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        48⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        49⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        52⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        53⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        55⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        56⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        59⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        60⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        61⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        63⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        64⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2340
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        67⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        69⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        70⤵
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1704
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        75⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        76⤵
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4020
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        79⤵
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        80⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        81⤵
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        86⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        88⤵
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4508
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        90⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        91⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        92⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        94⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        95⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        96⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        98⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        101⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        102⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        103⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        104⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        105⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        108⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        109⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        112⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        116⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        117⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        118⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        120⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        121⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        122⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        124⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        125⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        126⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        127⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        129⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        130⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        131⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        132⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        133⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        134⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        136⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        139⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        140⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        141⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        144⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        145⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        147⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        151⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        152⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        154⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        155⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        156⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        158⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        159⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        161⤵
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        163⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        166⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        170⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        171⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        172⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        174⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 408
        175⤵
        Program crash
        
        PID:7032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6880 -ip 6880
1⤵
PID:6988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
64KB

MD5
d5da2925241373e9a1eb79be40709d1d

SHA1
5e05b33085837067d94a9a11379a44c298f10f72

SHA256
99fb51fba1e1d589b09a9b6ad7245d6a5eee632d69256e74cf72ba6f7b874fac

SHA512
e560c0dfae80d21a9ba08448ac56cf41f68d760542e8ca84890c1a7a10b3665d3367d3684ac888a295aad7b1b2509c82cf74082cf073c781afe55f9def9d5151

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
64KB

MD5
1b9964b9db1dadeea2b1340b94651250

SHA1
da5394a66c554a93f99452b9d0a129cae057f3c4

SHA256
5b56d9ee56e66e1458e4db53f9d7fc1cea7fdc95753a08e15d0786081b6b9d9f

SHA512
8fa383c95e514c3546c64e672292d7e58f649b73e80436ac6ea915d2d5ecd9b21e99d789286f5b6d63a8d979c87f4c1afe80a402600e1b067fd02303a9a6611c

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
64KB

MD5
32a16fb7a3936905ebfa1dc6a612ea07

SHA1
32731e1c8622ce82c7edb1ad6f19d2c989257280

SHA256
4c7e6476bdb9ace264f0b787f60cc6e83d2d28dff99f55268ad6d4e9ed7308d0

SHA512
1d5c9f02ff5d9e31a7d45748182459a7131ab187b4c68559f5fb2906c627e1d874be501ec91a9694fdd63bfd4518624ea564ed97ee77a8ee79713dc6e6412cbb

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
64KB

MD5
176fa8ff43cb5362921809037ce6b5ff

SHA1
b50f5819f64be8b80952eb9295e5c3f8e064fad1

SHA256
64504db05034e5e8b2a3146294ee8f8880d11016cfa2120d16383e2e40c499bd

SHA512
1aa32031601c3cf08b19e6ecc646bb22f99109bf3a199b8a74a9d5bdafd755bab65b9d3e2ab67d0216a049cf8ecd54309520dc6a9979f55e38d2ba7e9a26e5ad

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
64KB

MD5
5a73fcb6d7dde9d8a08ef7372333cc7e

SHA1
e4de5fec96af85db5e47124fcc6f4fdb63010309

SHA256
eaffbd9e776470ba8e2b17e62dc43aa9516c6ed22ff4f2f9912136d5c752631e

SHA512
b36a8f6ce1d8124f1ccf40778466aefd8aa56a1fcec9a38ddae6ea7a562d04737456c92ef00381a88fb632f270eb68a883fcf80fda2f279545252bde4094cf0e

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
64KB

MD5
e3ca326e79581c84a4c5069a0b9bcda1

SHA1
48e93df3ad8b23eac18e41fc2a939fcdd644267f

SHA256
b39b0173f7a77b3c4d90cb7397d1c2a0fb807f9b8f89cbe7debc509ea6783c97

SHA512
23e128eea600ac705454456017d2f7f59591f6493648afa0c9239c8e2b5e855c60082a49bbf46ee69decf35de9e46efacca83cad9f6218a3e749c1260c52da8c

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
64KB

MD5
72d06d49e62f33b969e40c14585d5cb6

SHA1
519903c729b61794127c83ec8663f02320efc0ae

SHA256
c0b54b50617050a03e06cb8c78c18eb3e69c151b25b2e4277a41670e75572d1b

SHA512
0fdd0260dfb52716ca9e3f2bc89c7b8abbcbe11969cc874ae217b46b1d8ccbd8dbbde140fcbe688b9d1a2df55b533e279ae1f3dd9404171789d03852e2c17600

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
64KB

MD5
afb46606f82d319a71f89448686444c7

SHA1
c612889f23c9e3386fa02e4ec20f827d5fcb7a03

SHA256
4881977380e0b79a1f9250dfe2a802b1564130320acbbd234231b6b5ba89b304

SHA512
6ac790414f987860810ff9f102827ee4ee7b82e2374cf253708ba5f10786e5ff5194185e37ffa155b8e14f1e12a2241088a0aa679a9da62ff4b7d97361e04705

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
64KB

MD5
597a3b9a01f8f855ad60224cfa46796a

SHA1
0bb8caf104479c25a102f7309bfd7ca61744cc17

SHA256
b554b22dce6421164bfea023e7d0012a671af9f618249e1d97b93a3cac23d73a

SHA512
69177afa2933c92ed5b45582a1c16daacc43a23e7560239ad9dd395c50830ad4dfff284686ca527a071a1cb1d4b6b8806569389a5fd20ab5fa7e65da27f38867

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
64KB

MD5
5a5a86ef0ac91f02607bfb4f9aa71328

SHA1
4422444efe4a83bc9f953035e7fd1b9728a2c7cb

SHA256
1238cfa09a223e1214dd68574350cd815ea001f4065d8a53b47fe5bb2c8ab645

SHA512
7e0fe9ba2ae07562c84d82f675d4ac2c9de0c74a59e93d83a29428a2496f18c44684bf26b836e6a507f66c285a3030e00944443d6038b2952b0850811a46b8e2

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
64KB

MD5
adb53ca69c446e9b3fbaa6fc9e772fcf

SHA1
c762c8793299b348dc5badfae514274518af7651

SHA256
04d86959265f2bf945b9f3d42a9d11d9c429a53a8db8b8924415a323f20567ee

SHA512
a4e46c2512240ce122711cb7ee475ed907d2ff7d2fcd5bba40f72716e56d6968614c5c9f2429a267996e074038092d7c0954abe6359a3eac58448c904110de26

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
64KB

MD5
771dda733038ffdcb083ce75a806ad2f

SHA1
02a8cecf67c3e5dcfc7e074f38fbb627c3c4d495

SHA256
a4b8a38803dee15e910682de57e047b838ef5db1b73e093c6a141b2fb4675f24

SHA512
3da6b4b229477f2cac3a9829a091de67b1495d8b706100aabfd3e6f4a43a3e1d0bc7683fbf420037f99973fc35fdec15f5350f434754049fbecb864c0e5a5098

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
64KB

MD5
44231c14c997b919e061efdd1a332144

SHA1
3b6f6bdec22a73ec3650bc9f92caedb4fb5b14fa

SHA256
34ea6fe793b3b59943abe9df1529aa60c0b72d6f1fa6c29dae48bac6b7428690

SHA512
cba9cb88c8cd88099c31494a29d56a84ce75db8b2434df6ab2b908b4461f4a3bdb5d1ab9e23d354a9619f8087c60787f79ebc47ca0ce17562ff6224bb00880d7

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
64KB

MD5
e9f1de97ce7cab259d3ec68f809ba0d5

SHA1
0965e06fe068bc6c98e90a858ed4d437c2368460

SHA256
499961a52be3b9159e944dc46cf6575d3713654872579175d6d5c5e670a693b4

SHA512
946febaa91627627eff60649ba46b484cfeee9649cb49dc5f3ed985befc6359490eea9a0ae1441ae7f7105341aaf3740057bbb5d21281fa8780e7f82b3554ec5

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
64KB

MD5
f918409e61bd49046ab09da6d6246f5e

SHA1
a0bc16853719b9e9666aef34cca5b199fc167492

SHA256
daed1c6a0f3e5b627264c7602820a0a260152a4dba630a4b69285e5454ca5192

SHA512
93efe604c863e9672d47f861a941237b9c585eeb90a649a549ad2f6e0f4b7c2bbe27f25471a4e306fcca32fec17ec350e968d82938a39764bcc7d37937d3fe06

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
64KB

MD5
93beee0b80fd7ce562fc431a5200acab

SHA1
1a56812b8676d0e0d3e282b55951c733a8a08802

SHA256
0fae21ae6ca02a2b861cea707e52b38143dc2e1287f5a31e907a2ff2f7fd6b6e

SHA512
bb8c9a2c6db727393d8d2a451d1b5051fea66d0447ec79ac0018c930fc47cbaa840371eccb339045920cf601e3b484b9eda10f769dc44cb598cd874edabfdf43

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
64KB

MD5
3d6478ce6295248748647f7168e7a610

SHA1
3bf6eee1d1ceb1278ed483ebd8732e9f1bc8c8a4

SHA256
db4e80f1bf2e6f0449e640be724c5655218eff1f166031e27133f6b0a8472c35

SHA512
77b568b2f71cae2212f6cef93e53833e63d10ffc7ce81240c9d6a9bd689ba8e89dfb512771e36b584bacc38a658919eadb7711de811c9bb93398e8dc72b370b7

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
64KB

MD5
c2c42c39e727a23bffbae2574cdb9af7

SHA1
fec56e2cdaefeb6076ec6825fb327d14b5c52325

SHA256
b0841e0c7a5116481c4cf1057a4b5bc2a0cf664fbeacc1270ed7186752cea376

SHA512
0e95b6821511a689033743b1d79917daacbcc69b0171d6f8d825d5d02453bedfd1eb3d0be6e64d3e05a56c36fc365ae436fc27a6669dbb1aed9fbfd204312873

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
64KB

MD5
5d0d8e469feb3b7ee97385cdef591769

SHA1
7a81315ff240fc904a1d3fed4e9e3d12db42fb5c

SHA256
bd819c9e3c4fbe73670e1e04763438445ab8fd7c4de5d6d92d31fdf74aa8c834

SHA512
22e948dec834139211d3cbc3c9fce997d4bcc7d02b9db0f6b128ae03500489f2548894f2c3913b7534b9c323f0d9bae5e8468a2d3d59a4c976795d2778196787

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
64KB

MD5
195abbc2593c08b803270c463be001e3

SHA1
a51dd1f988a657adadc58984b30aab5f48242ecb

SHA256
0d1c4c7e743b25a488247e89fc2954073aefc47d9cf28c64cac083855b06def0

SHA512
43897e9c8576e04c3736d6f52419faaf45fb7f53f67f4c85feddbb56bc38b3770594a02977948a87618d3ed274de975fd42600bf58cd485f319ea3df80b1095c

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
64KB

MD5
25bf0c4124538d032c39db4d11168db6

SHA1
78b7b137d2a4f1e246d985d568259a4ba25c6b92

SHA256
85c80181ffb617544992cc6283ca7bfa189c925770f0788b8cc1a40764776763

SHA512
86d723c8057361cdc6aba74cd01e8d9992e29f232aed632f62be5e673e7e5ff5ec560deb82c3fe4dee80e1b56e86fbdeb836b43408a7a830fbcb440cf844a439

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
64KB

MD5
4d86dc0cc9f76e9f674d75339caadabf

SHA1
152116d340685dbadfa27972f98bd22509de5b6a

SHA256
7c3b2cc4d35c08bc1f807aaf945f97d4a0acaf647b76b98c04fc5d15ab3e5611

SHA512
12ce1de3f9c7a22cfa4e9a6559f6a0f546a7871c94bee98eaa6a01e897c0b830725329dad9f2dff579b52c54cb549fe1193e5ac8c7837d4c1d88bc703f72ef1c

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
64KB

MD5
37d520f8537b69a1aac14d45528bcd46

SHA1
ae23b7897d8553149eafe102d5e936d2b827f6f7

SHA256
a7aba9660bdb4a0e97b5803920376b0db0ee7cbd4c359a579b41a90002ddf488

SHA512
b4f54fff2174eadf5a3d83bd39387db7f8dcb3045314a1da31252f41f94724244f8d079912d8ac34cc68d0d66051f1924b1859bb8a14d8574519964688509605

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
64KB

MD5
6297d2ccb2dea2367b39267192fca5d6

SHA1
eed421d5e7717f46a126d6f6ecc09ef546356b5a

SHA256
6f4b584f59ba0f09087319bb7a2d1bdfb050f6eaa8a7679c3d092ade4f2b115e

SHA512
568f7c1192c5701a76fc1adb9f0ecd622127d330fd08d3c5ef48b309d489df6ef582fbc81949293d11f6aca3882475598ad15a84832727d5b49749c6d06b2cfd

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
64KB

MD5
08667cc8c63f53bfddac28b23d4123d4

SHA1
e0339beb043706148d6389d13a1b3d362cd0667a

SHA256
19e5616d89ddae1e341a1a5e2a35778e3ec08125c7ed116c24913928716f8c1c

SHA512
9e2cc4f261716641f75a6be1394f8bc90ce3dcf71320cc0df44de76a9394760352713b0c9d3e444f935ba718d3b4bcad63a8494867c336af5ec88279d9e50637

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
64KB

MD5
15a7a4c7302f68f5cd308e0998a00dba

SHA1
d4ddd972df1bdfb63e65a542eea54ac31f191034

SHA256
b4f7298fa3f1f30f1cf3747e0a488aa26c0a2eb0b95300158df32a9bec0b3079

SHA512
aeb74b90d397f0f060cc6a61af8631a1d0e9e994fed15876e25ad523a96a42a9271982d6532969408e676e936cb24b17571376da51c2fcc80cfbf11279c78f3f

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
64KB

MD5
03d5ee75ce51d5b5fed6ef84dbe9b772

SHA1
edeb9a668740c69d82333a35113cd5f5dcb81b32

SHA256
177c9766910fe7f1a2870271e6fe1e9be3ffc59eca3c8e01a18526e4b277bfab

SHA512
acfe766accebbd27094f44d855e84aa7f8a75c9b6d7112651a83a84cb28ab08a42bfb5aa7e1a84aa2c634aab0ba2e273447da460e67f9e2ee99ee4536f471574

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
64KB

MD5
3073532514125eb3826d0a494b00fda9

SHA1
e119d4b7c0bf409b95eed59a502d32c1eff5f905

SHA256
0401f6a03e45e64a820edcc62bf2289373b66136edcb5a592b1aa5af5ea50ecb

SHA512
678a341ec604cef83997c9f711950987e37059b5f2b9c81f8312de28f922a53c9deaae234c96ce52e658844e89ad9994c50d84d349c72aeda0492b2dc3083c80

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
64KB

MD5
c545b3dfcc87e315ad9688ac6d1fbdab

SHA1
27d9cacb8caffe052b49969bc24e4bc985434aaa

SHA256
211ee4590b5b53f84a8546cba74624c7bd985997e7d43e54778e420bd3d0f454

SHA512
4c8cd7bc570fe040713d5200e3ed27b3dbcf045a238e500ac4384ff4aed71d1aad9aa211e0ed425b88e26ca6b712aaa7de89f385099b02866579dff4a137e7f3

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
64KB

MD5
c6b8b5706c5049ab8526d3d557dac334

SHA1
efd82917652155de037b1c9081e9604288445ca7

SHA256
6dff2fd91435b6686afc790d9da23114145d42d9fcba2057c1dcaa8232661e85

SHA512
a3701aa1336e5debf39eb2c92614f09fbb2f0b779d7f34e7b1436976237126b5a622b01940f3cc47596fdf81eaef058c1a0f48a5b0a94d2dceb1584d81355fa9

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
64KB

MD5
49297f7142e165c9b0b71d097984d1d3

SHA1
392ac0f2b0f19e8e5bdf12a6a1d76638df62d321

SHA256
7e5410aae7eda9d23985b2207c6da0a04cb8aeccabc9f3851b7fa000077e08b1

SHA512
c7963672b8c451ff15a4daf1a4825c5bae1f1637fa7e9f870c44f0c1dce78541ce90001598926dd517ffa1613256ab1c5df38f2fa63a8674d7860a813bbc0991

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
64KB

MD5
f82b9282d5831a6c7016593eb42ba556

SHA1
7ff548f4755b72c10cca69d0b247a75e0afd1680

SHA256
36f5a608045eaf123a74231026a094570babfc104dfa35943d822c79480c01c0

SHA512
5745ce49441453f76908f4efa781ad64f857de3e1a14f161ffd7b378e5351bd904d16ff18baaf1a97b2b3fe081ba0d083e5b9324dcf847299ca13b2868cc10c2

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
64KB

MD5
b3c751a0a227210e8238d3b61a2ac8e7

SHA1
ded6a5e3b73552add22332c2fae3630de72db0b5

SHA256
d782a4370716a5d6b711f3ef04da67195c49f54d1c3f565efe1e8f18cc831be2

SHA512
27b410d370a130e33a6a8765acb5d8b3580c34a1683cc9d3cfb0ecf77f2e99eb8d831f20935412a5a21060b40e62a979e260dd08f7995edfbb1cf524d8e42332

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
64KB

MD5
7f09949e2563daddddf5e7adc7c60d15

SHA1
b5303a376054f51b2969f46215bfc7ab09c054e1

SHA256
9db825fa5176b1ebdb4d84f8397c1dd2209e767178bef1332dd9a3e6c2953d0f

SHA512
96d18809d319a5ae386dd761fbf800a9d4445a49871761a4e69213ab382b28f1b8a9e551a0097a8e4cd2a176ba9c26ff3df72fb8f910500d686e4c4a45aa0c43

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
64KB

MD5
d3025bb007c51bd6b345631032167d39

SHA1
cc2531e88dfc514e0e0d1aba1137e560b0b93034

SHA256
06f2d33d388b6e0072822d3904911372488a33c2a9445170743be8891224b07f

SHA512
21fc6778c42cebf6ed3c214d4b1f392ee3e34429c1223da79013573817677e82bfb7a087c0d607a8ef853cddbd5ef7480b48853a2a568169794b72d1475fc322

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
64KB

MD5
ee7a00d798fd4de0dddf3e106f9de0fa

SHA1
79b1db9774c4b68847e111a470e7eeec26af5e54

SHA256
e007ae864d37191b30cc60d6280e16ebf29fc2924d61811181a714b012ed0f0d

SHA512
529d11f79ac4f300f3b141d318b87806eef16d53edc119249fe84e95ca6f3b16d785cfa425d2f68ab362fccb15bf935db339a4689833e7adccd6c2f66c4bbfba

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
64KB

MD5
ba3c672834a30bff454b0c9ae0079e72

SHA1
1c028944ce630a4d68222c57e99d8866a039de45

SHA256
66cdc55b1b2d68de606507ad0464104e19af25914c1ea17c275fdf19337fd4f0

SHA512
08935ba83e14eb8aec36b5759db748b8a0dd12805139cfbb158c366b8d3a218ad8a4d4fdd4a22a7040af709c182fa454c5a626b569f63f75fcc8080772489dac

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
64KB

MD5
207f8544168c6a49428a064068eb9efd

SHA1
94572e2131032afd92ff269f58d4d0cbf55fbad2

SHA256
58659688ad5dd2ad6c13868d45056fa15a57538a86a78804159f1dfbb106c8ee

SHA512
fff557e9ddbce12b99e587f53166914bdddfb52ff46531f911769175747c9cc0e5cf65cb8515eef88043bde7ec9493e13dbe5c05bc8d20041db64be085424d16

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
64KB

MD5
828ce479a7e395f99008e0820ea74643

SHA1
e89be8811bed9aeac2ebe5c5032dfa22fe4eec44

SHA256
12fd33023ed20a3811c9fcb3ca76aacce01b463cd5ec853d909250d790ad5f72

SHA512
2dcb0a1694f5b7a3c1b4456163b978015000d368b72a945084004b144a40f84df2730450cef9324d4e20a152c10edc95e3dafe3b4c131f062b4dc31d1c6083f6

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
64KB

MD5
c2b2c16ed1c138e68f09b405dfd4628e

SHA1
4927d2d3e4476b2b5ffda401691d709f3b198168

SHA256
602e8e6e57b93d491259ce6f2662738bc13a7f8b175bf4457b43cfcf2ac7f6b1

SHA512
49d522b3f774453ec8ea605fe81263c6124536c19faad98890906ad8fbcf579cf84a20d2be03a77f5714a86adadb7c9c30d1c732cafaa36df405805a836bfd12

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
64KB

MD5
c0ce032c5e1709b8f8147b4078a28a8f

SHA1
a300f976d339307354654160faacfb7d2a1c805d

SHA256
c858d79a03110d0b915d74aa2ec06ddb3fa2242adff73620e3e7b3b160112c14

SHA512
920dbabcae60f353c8d083ec6b070c4861fc1a4799b0501b25367e457c3cbfa7bd6d982dbff9824a15d944b1caaf530c58df810d6803f82c2188581b9462fb8d

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
64KB

MD5
83938c49ae97d67c0ed3ebb49410b763

SHA1
85b2dc126177cfe6b9bb445ce2f04c78079ed9cc

SHA256
30ce56a8b5b6fc728eefe22abe8f2b1541acb3bcf38fbc27670099b864ff0e76

SHA512
9d87dfd4780d65ae1d2d0197453c80ca8a6ffb0ea7c136c1d7c3af1e65af0808fddb958cf53aa6c7c27bcdb5e63dac5950f64f1353c268dd90e0e4c2eab6776f

Download Submit
memory/212-466-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/428-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/428-552-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/432-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/452-559-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/452-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/500-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/528-93-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/728-406-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/784-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/964-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/968-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-489-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1084-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1140-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1140-566-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1164-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1168-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1340-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1412-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1440-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-598-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1680-533-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1704-491-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-591-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1852-425-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-539-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2000-513-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-597-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2056-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2068-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2104-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2340-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2480-365-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2560-525-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2592-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2724-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2748-551-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2752-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2924-149-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2964-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3060-540-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3124-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3160-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3252-417-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3272-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3352-567-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3440-431-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3456-586-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3456-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3464-553-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3676-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3724-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3848-515-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3868-157-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3960-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3984-503-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4020-527-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4148-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4192-560-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4336-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4340-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4352-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4356-477-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4376-479-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4436-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4452-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4544-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4544-579-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4548-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-129-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4568-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-389-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4676-573-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4752-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4780-453-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4836-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4856-501-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4868-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4872-419-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-412-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5044-580-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5064-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5116-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads