58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a_NeikiAnalytics.exe
Size

120KB
MD5

c22af7f1ba43ba36bedc4afff6aa6880
SHA1

c0efc39e649421b14720062d4c447a25382858fc
SHA256

58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a
SHA512

bff264058fdf901c7c41b40108775d56bc2c875139cc2ee458109caba112e591bbb7bed80576748f34571bafdf68aad983226b4e3e4569523aa733a08999f7ce
SSDEEP

3072:p40id9dyp+HuQCzYkhNYvvuRNPi/mjRrz3C:p40OIgCphNY+RNPi/GC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dadlclim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elagacbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe

Executes dropped EXE 64 IoCs

pid	Process
3672	Dhlhjf32.exe
4940	Dpcpkc32.exe
4132	Dadlclim.exe
4592	Djlddi32.exe
4632	Dohmlp32.exe
4936	Dagiil32.exe
1352	Djnaji32.exe
1316	Dphifcoi.exe
5056	Daifnk32.exe
2840	Djpnohej.exe
4696	Dpjflb32.exe
1864	Dchbhn32.exe
2320	Efgodj32.exe
2548	Elagacbk.exe
4944	Epmcab32.exe
3644	Eckonn32.exe
1620	Efikji32.exe
2444	Ehhgfdho.exe
4444	Epopgbia.exe
1016	Ebploj32.exe
2928	Ehjdldfl.exe
4576	Eodlho32.exe
1088	Ebbidj32.exe
2632	Ejjqeg32.exe
3832	Eofinnkf.exe
2564	Ecbenm32.exe
3632	Efpajh32.exe
3188	Emjjgbjp.exe
688	Eqfeha32.exe
3480	Eoifcnid.exe
4480	Ffbnph32.exe
4500	Fjnjqfij.exe
4408	Fmmfmbhn.exe
4212	Fokbim32.exe
3936	Fbioei32.exe
4860	Fjqgff32.exe
620	Ficgacna.exe
4560	Fqkocpod.exe
1200	Fcikolnh.exe
1776	Fbllkh32.exe
4844	Fifdgblo.exe
3700	Fqmlhpla.exe
1196	Fckhdk32.exe
2364	Ffjdqg32.exe
4840	Fjepaecb.exe
1180	Fmclmabe.exe
1852	Fqohnp32.exe
1816	Fbqefhpm.exe
3392	Fjhmgeao.exe
4368	Fmficqpc.exe
3564	Fodeolof.exe
3624	Gbcakg32.exe
1936	Gjjjle32.exe
4072	Gmhfhp32.exe
2680	Gogbdl32.exe
1660	Gcbnejem.exe
1732	Gfqjafdq.exe
3712	Giofnacd.exe
2488	Goiojk32.exe
400	Gfcgge32.exe
1288	Gmmocpjk.exe
2392	Gpklpkio.exe
4588	Gfedle32.exe
4960	Gmoliohh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Dadlclim.exe	Dpcpkc32.exe
File created	C:\Windows\SysWOW64\Eceakm32.dll	Dadlclim.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Eofinnkf.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Dpcpkc32.exe	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gqpmkibm.dll	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Ebploj32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Npgpaojg.dll	Djpnohej.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Idofhfmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7056	7052	WerFault.exe	285

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobgoedj.dll"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlqig32.dll"	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojeoiop.dll"	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3672	1388	58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a_NeikiAnalytics.exe	82
PID 1388 wrote to memory of 3672	1388	58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a_NeikiAnalytics.exe	82
PID 1388 wrote to memory of 3672	1388	58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a_NeikiAnalytics.exe	82
PID 3672 wrote to memory of 4940	3672	Dhlhjf32.exe	83
PID 3672 wrote to memory of 4940	3672	Dhlhjf32.exe	83
PID 3672 wrote to memory of 4940	3672	Dhlhjf32.exe	83
PID 4940 wrote to memory of 4132	4940	Dpcpkc32.exe	84
PID 4940 wrote to memory of 4132	4940	Dpcpkc32.exe	84
PID 4940 wrote to memory of 4132	4940	Dpcpkc32.exe	84
PID 4132 wrote to memory of 4592	4132	Dadlclim.exe	85
PID 4132 wrote to memory of 4592	4132	Dadlclim.exe	85
PID 4132 wrote to memory of 4592	4132	Dadlclim.exe	85
PID 4592 wrote to memory of 4632	4592	Djlddi32.exe	86
PID 4592 wrote to memory of 4632	4592	Djlddi32.exe	86
PID 4592 wrote to memory of 4632	4592	Djlddi32.exe	86
PID 4632 wrote to memory of 4936	4632	Dohmlp32.exe	87
PID 4632 wrote to memory of 4936	4632	Dohmlp32.exe	87
PID 4632 wrote to memory of 4936	4632	Dohmlp32.exe	87
PID 4936 wrote to memory of 1352	4936	Dagiil32.exe	88
PID 4936 wrote to memory of 1352	4936	Dagiil32.exe	88
PID 4936 wrote to memory of 1352	4936	Dagiil32.exe	88
PID 1352 wrote to memory of 1316	1352	Djnaji32.exe	89
PID 1352 wrote to memory of 1316	1352	Djnaji32.exe	89
PID 1352 wrote to memory of 1316	1352	Djnaji32.exe	89
PID 1316 wrote to memory of 5056	1316	Dphifcoi.exe	90
PID 1316 wrote to memory of 5056	1316	Dphifcoi.exe	90
PID 1316 wrote to memory of 5056	1316	Dphifcoi.exe	90
PID 5056 wrote to memory of 2840	5056	Daifnk32.exe	91
PID 5056 wrote to memory of 2840	5056	Daifnk32.exe	91
PID 5056 wrote to memory of 2840	5056	Daifnk32.exe	91
PID 2840 wrote to memory of 4696	2840	Djpnohej.exe	92
PID 2840 wrote to memory of 4696	2840	Djpnohej.exe	92
PID 2840 wrote to memory of 4696	2840	Djpnohej.exe	92
PID 4696 wrote to memory of 1864	4696	Dpjflb32.exe	93
PID 4696 wrote to memory of 1864	4696	Dpjflb32.exe	93
PID 4696 wrote to memory of 1864	4696	Dpjflb32.exe	93
PID 1864 wrote to memory of 2320	1864	Dchbhn32.exe	94
PID 1864 wrote to memory of 2320	1864	Dchbhn32.exe	94
PID 1864 wrote to memory of 2320	1864	Dchbhn32.exe	94
PID 2320 wrote to memory of 2548	2320	Efgodj32.exe	95
PID 2320 wrote to memory of 2548	2320	Efgodj32.exe	95
PID 2320 wrote to memory of 2548	2320	Efgodj32.exe	95
PID 2548 wrote to memory of 4944	2548	Elagacbk.exe	96
PID 2548 wrote to memory of 4944	2548	Elagacbk.exe	96
PID 2548 wrote to memory of 4944	2548	Elagacbk.exe	96
PID 4944 wrote to memory of 3644	4944	Epmcab32.exe	97
PID 4944 wrote to memory of 3644	4944	Epmcab32.exe	97
PID 4944 wrote to memory of 3644	4944	Epmcab32.exe	97
PID 3644 wrote to memory of 1620	3644	Eckonn32.exe	98
PID 3644 wrote to memory of 1620	3644	Eckonn32.exe	98
PID 3644 wrote to memory of 1620	3644	Eckonn32.exe	98
PID 1620 wrote to memory of 2444	1620	Efikji32.exe	99
PID 1620 wrote to memory of 2444	1620	Efikji32.exe	99
PID 1620 wrote to memory of 2444	1620	Efikji32.exe	99
PID 2444 wrote to memory of 4444	2444	Ehhgfdho.exe	101
PID 2444 wrote to memory of 4444	2444	Ehhgfdho.exe	101
PID 2444 wrote to memory of 4444	2444	Ehhgfdho.exe	101
PID 4444 wrote to memory of 1016	4444	Epopgbia.exe	102
PID 4444 wrote to memory of 1016	4444	Epopgbia.exe	102
PID 4444 wrote to memory of 1016	4444	Epopgbia.exe	102
PID 1016 wrote to memory of 2928	1016	Ebploj32.exe	104
PID 1016 wrote to memory of 2928	1016	Ebploj32.exe	104
PID 1016 wrote to memory of 2928	1016	Ebploj32.exe	104
PID 2928 wrote to memory of 4576	2928	Ehjdldfl.exe	105

C:\Users\Admin\AppData\Local\Temp\58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58ae91af72185feb370c05632e125ded9b0012415e61a5c6e3d4af8450f2a24a_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\Dhlhjf32.exe
  C:\Windows\system32\Dhlhjf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\Dpcpkc32.exe
    C:\Windows\system32\Dpcpkc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\Dadlclim.exe
      C:\Windows\system32\Dadlclim.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        23⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        33⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        37⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        38⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        40⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        42⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        52⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        54⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        59⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        63⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3612
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        67⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4568
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        70⤵
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        72⤵
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        73⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        75⤵
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        76⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        77⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        78⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        81⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        82⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        83⤵
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        84⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        86⤵
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:468
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        88⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4148
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        92⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        93⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        95⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        96⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        97⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        99⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        100⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        101⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        106⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        107⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        108⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        109⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        111⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        115⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        116⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        119⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        121⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        123⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        124⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        125⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        128⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        129⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        131⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        132⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        133⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        134⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        135⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        136⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        139⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        140⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        142⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        144⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        145⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        146⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        147⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        148⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        149⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        151⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        152⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        153⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        154⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        156⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        161⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        162⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        163⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        164⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        166⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        168⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        169⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        170⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        173⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        175⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        179⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        181⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        183⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        184⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        186⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        188⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        189⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        191⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        192⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        193⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        194⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        195⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        196⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        197⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        198⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 236
        199⤵
        Program crash
        
        PID:7056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7052 -ip 7052
1⤵
PID:6456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadlclim.exe

Filesize
120KB

MD5
1e1e4f6012a052f835310dd6100cf91b

SHA1
7c0ce7bb7e81b8c2fbcf0b844d1fb3d0152e797f

SHA256
0f0f2680f40206a11f9ea79891e79b15084b7c37e59f19c1fe37be57b847da6f

SHA512
08684c209f740633fc0320e0ad5989cdfae05ba4d4839335d6d44f69e835f062bf551debad830c590305ce31ea5d7c010730ab7b83f1379f2d036209f4e9dd57

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
120KB

MD5
b0274761d65ee1fd6eebbb0aa00cd5bb

SHA1
5e389aec4638ae7d35926e426ae5b1f5a01a6e5a

SHA256
aa38bddaff307d3b4fbd976f0535f492d47c93eb1dbe6d74dd21236b39671fcd

SHA512
e30bb2ef353b6567abc42218fb133528b3291dccc2423b28b0320cc7518a354ae4983a183d2715df74ad76c843111d0ae3c6b1b0f387a2525c6c1534d992b8f5

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
120KB

MD5
8f1e651995a499cdb7fdf4ac103abf4e

SHA1
d22dc4c93f6e348d483d699c862be58aed6d5e4d

SHA256
612a2319225a868286d87a77adbed38022a02e708a9ec16905aed038ef5c89ec

SHA512
a6a4cf7ae1f8589dd2abe2afb5e1de54784e8563659e391dd449e9ce3df2fdd92b53531e19dd35e45090a99ff8556dd7dd7c13c99ba9459647b29366dc2dcdee

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
120KB

MD5
eb8b9e2f6667d270e8dc055bce0af9bc

SHA1
0a335e2e4e373c096c433c8d69cf84c29e07c6c9

SHA256
0f2491323a4c9635a80841e6a5a6e2e12df5bfc7d1de4f4c6b38fc7f331e510c

SHA512
fbabc6e7223d1f3d7437b307205a246f6958da7e54de088e772f3595915bdc9a8d9267849ee9ef97e4f09de4860d4e42976fd010e1505e0a6837ca853b8791cb

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
120KB

MD5
f4ba295c2625fb44c315f93ba4b53d66

SHA1
ce1003e88454292d265647f257602fcaba5cae78

SHA256
15ce4bfb7e3a93a3b0a2501dcf82eeaea5b087733ca46e4b1a4df6e6a514d0e6

SHA512
b05ca68bceae6d3c843e371de34993ce047fcf3474a4ef5879ba2033a99c9129540f63bfe24fe00e169b834f40be3e21a6f112adf182f44682549392f60f3c9b

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
120KB

MD5
0ea1aac00fce7fe80f7b147f1c168372

SHA1
39eaa3ce6dc992e762f4e193068e0ae960b71681

SHA256
9d05ff0469a221412898bbaaf9f651848561cb599df390946ae98d8ce8f90ee9

SHA512
95e622dce3a393c6a01dc1f1ea25a84a58518a8b4f1d7e137827d2046679f7b7044f4377b97f4e31a7c6a02c37b2a60c851923adafa489d0db271c77866ad5fb

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
120KB

MD5
7097306d81e31458da68f6ed8c86b710

SHA1
2a401041a7c6a6bdd53e10cb52436b707fcf7dcf

SHA256
17610950da12edbcb4430e519abdd603b3fbe6cf998a0b6f49ee841850cfc45b

SHA512
4004c750a8e219ff23fbbe1c4db2dafbfd1a9a1a9cbae08aa8bf67eb0d6b2d4b0d29744f920acae4859a8b1699411129c1a215538f88612c86caefd611dfd369

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
120KB

MD5
721d3d16b5e79ab95f3c0c1afc16f577

SHA1
4380044b65838783197a9143b36e476f13e8f095

SHA256
2c7d592a4b8d488d72ede14204b20ff722de8dc6c29e20f558db7b536df735e6

SHA512
06d46bddc0e4ba905aedef508e2a94e1364eeed86b6054b65d83923a017cee280d5eb74b5be057c142fac4f04f2362654391e6b177b3297e6ded3f745cc392c2

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
120KB

MD5
9ac91c0e23ccabc592bde6141d037892

SHA1
d5dcea99771902dd05721510e4877e46c9491280

SHA256
eda0affc7ca666d0bddeab876f116fd1e9ce9e2d363c10b16f78d529264debb2

SHA512
0fe534aaeb0a02b38079c72b3a9a85bd5aa56aa5d53e6fbc53c26052d0377887a99ab91c8ab6dcab08243656d00d5332d4969abe863a7e0d0b5292d36753001a

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
120KB

MD5
c07214910744ba7a7de544dc54c30ce4

SHA1
9213e4f3490000d3cd70ad5f6532de667cfcbae7

SHA256
95c5f07de87208bd6bbe686a34973f19548dca22e9be5f7f12c017b5a02b3ae8

SHA512
b8ea3c98cb1f2802088c71f7fae170880c51d6e1f7afb5505ba56140fe9bc8eb52c98cc292ce03e60fa675550634d99ef35289c1af5d55a0c329cd8a3640b5c6

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
120KB

MD5
9dda146b23d2a03661fd2812844e57f6

SHA1
334cc627cd44feea0ab51c2cf67ec956d9cdd233

SHA256
de59906530d9ca16dd824a8d8a015012e09a5871e6f935275859b7a619452608

SHA512
025a277734861b91545f897aa392d5b36f82573b68fc8ba09c0d7cd9b2cacf5a3a58470656f9aa5785b7846ef8d1418b1066176a1964e284a1ef78b741dde7c9

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
120KB

MD5
701acf7353c1480173ece4b51f43fa24

SHA1
3ea0ea2d57996202bd1972f80493a25a1a08c89f

SHA256
0df160efa838638e2482fff3384a8cc30d7def1fe0ace02d856ddb6b38ef7d08

SHA512
819801b08dac9d78608dfd9cd641713c094396ca669521ed3795f29ef25dc1261535c9046fdf34f517f46b718f522c9a0a76a6977b63da3fc413103e645f997f

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
120KB

MD5
f2ff7090ae73b6f1e9a5c01ee2aaa026

SHA1
2bb82eeae7e7c4630325cfc8a5a4a748bd3a2843

SHA256
a369dcba67ffff0e4986ee87a2bc3b255a994fee2400744a4d605dfde4aba907

SHA512
1df75b504dd5ddd53fac35b2ede84785d16506dd90d86895c27068e4730364218c89726c5661898b39a375183f767a537ba51963db6e49bc29143c9b42ff0e21

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
120KB

MD5
65756959601d380e20250fff0bf9c4bb

SHA1
433041cb1a10dd9d4d4cf8334e663ba29321f9c2

SHA256
c39e9dfffc8d802892b1b4b6a32de4202189bc36e83130c7641d5677729031a5

SHA512
7661f31c79935ed12c6fc9dab94f067add869e94e9ba6420010e5b6ba2628345b1cf6a71bb5d735a1541b6faf14a3ee30a0a52201d5f4066b522a8eaa73cc517

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
120KB

MD5
e2231d6b88c430dedbc47f7afe2cff00

SHA1
3313a8f0c8a1b46a2a6cf19e40304d0eab9eb1bd

SHA256
2164c42ce2a84f3cf9a344a2f4dd6f12b96b11ee62ccd701fd1a6f72921f4b17

SHA512
cf99f0d8633278d5cf2024fd355a68b5610d80d78594295f5f12b811b8a54467c9f507c8a5e1cde5884eb71c2e6a6a223425eeaa3363feddf9c3f1aa7111de55

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
120KB

MD5
d15080aaf4d17b5084f57e2672aae00d

SHA1
2e854eb9193f317f2255c952134d1b5da49d027e

SHA256
ac283856adc793f079f4cf8000fdf9ad9765d42351a9b65d9ad24fede63dc88e

SHA512
317dac3ba52dd7b148ab5378594c9f656eab5ebdd7f058055cbb69e9edb0f7faaf7c06af2029e54c22f44ac94ab02d0b92159f34540557fa52bdd442eacdf2a9

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
120KB

MD5
0338e98797f34434017a4c6f11be6f32

SHA1
8819481638080d487214879190a1fe0c5df0331d

SHA256
1834327803941093da1006d698d0c61eba11c349bcfff07a37d4c08879891cac

SHA512
36318ec2b6882cbab25f6388cb4d5783d1d02a248dbeeef39b846070b3bd65a3d9ba7e5208e1d8f68975321556450395f279478b58159b0e55944dfa8def3c5f

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
120KB

MD5
9ad5ce8030a962dbb4117dc79b2b4bb8

SHA1
ac5a281c2e918fa43c5ce39a4eb147227d479852

SHA256
175d3b507508ea527a3374dc2c26f899de516dfeac22f0d6c7873b45f6d41be6

SHA512
c5645bcc4bfd829be5ff4af1a51c467bb28bb08e7d16fc82aad197d354ab9568bfbed8e241a0b99505df8440c550b167193a64bac7464580a2d37a4a8a8edf1c

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
120KB

MD5
5ec5f4b6776dfd4ca0d1cdbd9daae9d6

SHA1
d327812f58034c2fefe51067a4262c686c6830df

SHA256
d57404ae980ab562943e710a9c2101b2257b5dace6e400722170891e8cbfcafd

SHA512
c811fc7ca7c4c8d273bd7090f02762469430183a2e5d2d6e3846a17ea6eef660e89cf535f057317dbd008a9a8508d6a28dec853834d8219ca549f55ae9b81107

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
120KB

MD5
7ad03de3c25eba5fc7749080b1418d2a

SHA1
3bbd77a68b36bde693197b2fbef37246d15424fd

SHA256
2076f5d6dd7e55d720c745fe18a5343890457e1b6604e1a8513c684520d3932c

SHA512
828d8e3d361e98047aa341b4f325ce95e068cad3ee5c5308bd1b8b530b33440b6e3a20256fe3fb5506d23fb582576b6bf1ac0ab3ac94aa8924814e65b4e46867

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
120KB

MD5
dc1dd4778f8c37b2832b9e3ebaf56189

SHA1
26117d98b0c41c1b4d1fe177d07546f1c2f12e0c

SHA256
5bf03d34962f0ba03cc7f4ddbda4a67beea72bc12fa770ee0cd16ead7c9ca4e2

SHA512
f8048b2ac37a334732443c4e917f0eb33fe1727355b39e3cfbe2b9976cd5b03cdee2540e2523e0ef040036e4667dbd00f72fe9a432116935d32c35fcd125d73a

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
120KB

MD5
bfd54a6e91ff5e804d0e7a673b5f5337

SHA1
69d5c0b2c6abd647d026982057efc3ecf1528625

SHA256
1ebca13ec692a31abd83267d24390f75dce3afc37e846fb24bdb92a3e5985b5e

SHA512
3ce10a349837832fb73ffd7971c6352bf45738ccb8076c6bf8aaec07fb358d151098f4731a81f597f6073781c0752e9eeb6275b2dffb1cdb43a92b5dac0ad4a7

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
120KB

MD5
bc210c54d5712af5ffd447dd94f7e87d

SHA1
92548beed441110b2e9e0238cf385b0f334d6fbb

SHA256
eb5a4043f35a4b62706f3eecdeabee29e96f014046b9d0872593b066af3383c0

SHA512
51eabe82c7e2d889ae8b6521fc251959683bd423f0c34b55f0637ffbe3b034b8a3fcc06f7458f5d6939b07e98d0e47adc504a128aac1e1a1e9a80abcf89d35b5

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
120KB

MD5
b10717d6b743bfb097fa3b7cf67f7e94

SHA1
e0722bda73fe062b3763d7060d57def712e465c5

SHA256
c4933268132bbeedf40d5479a9a3fda49635b472ac8b3ac452e83a27a85da63e

SHA512
ec6107ae661c7a0c6fc72e06ff3886a507f5732fc2445f720a303844d5a718ac7ab28f8213b098b399ac2308fefbeff27692b73465a592563cca1b28fb3d7c86

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
120KB

MD5
2dbd99326ea9e23648a5015fdf42bdae

SHA1
e25af2070c33ee7a2e5ac965f180a1099e71e5d6

SHA256
eb8c3c02679157301868389dfb61ff327421a8f868e36155aa46055663b2d4f6

SHA512
3b094ea3fb70bf5c0b4fa03622cfa5d051d3ee888a1f3b840e3efcee974b6b069239d6b494c573206049d12bcf86e8bfbdda9de18919082072ad18cd4268940a

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
120KB

MD5
be0ae3cd6e42369e68f93bb215601936

SHA1
ec8e07c251c65ee8f06598ccdd9a3a4aa7ca57c7

SHA256
b44f3635e4f05fa963e4489905888a0b0c58431f8eec1dc952af68abc83e1365

SHA512
f59b69f806595060d5d76c168b9c4d3b039596a22e5753eaaefb2f20994e5e68eccd02e9088649ab986dc2aeeed3cae7d4cc2cbdd20eda725f3e29d24aab9b06

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
120KB

MD5
ed3147f50e617a0e21258a37ad2d5c19

SHA1
83b62cfb4776bbfec224300219fb6f009a742486

SHA256
039cf74670c36cf85229ac49fe48a96f1056701ed95b7a179849395f2c14ca55

SHA512
a457a9589e03077efb1065baef37d81ddc3d85599a31bb5521ae256e3071f7f6078533fafd303b0513f1db94208db81ebe51d04ac71394ea60d4fcc94f89a818

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
120KB

MD5
e1e5fa9d2f13c68b4812db1e6b76d0dd

SHA1
3f604c87014aae5f2c9d32b78bc62c109bc3039e

SHA256
8f5636e0dc16873fa26f6219e1c42a827f3ae443379d122639622339165a0862

SHA512
2be6edc187605e2bc05c0790d8dd9b7678ddb11e7340292e2ec18ce841c551412b521af0188c8ac25b3b50e6574a45d665b4a47b4c69902e1e3fb6d9472df533

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
120KB

MD5
cbf706759e42d2ea7f0178dbf9c6ac84

SHA1
da7516ac8857491c8298b712985bdd602009934f

SHA256
bb96214d2b38abef9cee2273408b1c7a56f20ad3d2654825dd84c12c1a1575e2

SHA512
2485b17a5a9f3677d6bddb4bda95362f2ca9014340cdba52944c1adc1d048f8d5de3bd4814e5cbc86081fc1a63efb5a5fb27ee165322198797da099ac65497e1

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
120KB

MD5
6ed7680fc045772568dfd28e124b386b

SHA1
95645cc5df6401c9523d123c92bb352a548d3169

SHA256
d74fbf225e52fda8c724f97d53ffcf52787639aa0095f14c45aca1ec35cf83ba

SHA512
a1038c5677abee9d1c461aa220c02a8b3fd851cf136f3100df6108b52ecbbe306ad5b4f611d793d0e714fb995751d378d2b500664bbbb1d4aba42dcd7fda39b5

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
120KB

MD5
a65fe219e773b299e7c2861299dc39dc

SHA1
59dca01b6ff6958c802d1fa5f57240aeee944c6d

SHA256
b418b545de15bbd32b622f8a3898f153f553836dbb74732632187e30d6488e50

SHA512
323032dac9444aea7881c38810461481c0250f6e3209ade9455ccd66989185d33637754b492a418cbcdbf4b52ea2ee985f35bed30ee9558c21b93746a1ee3704

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
120KB

MD5
8cc20ca6fd9cd1ee4b56f5af5b1779cd

SHA1
8208b1969d93daade53829f48f659db764e453da

SHA256
96624424eb4e55bd687cf838490e7410e8c9902ab72cd585159b9251f0d9e91e

SHA512
6fd2c22d593d77467ab380832233b748364ac892705058d9d35e4e5da1a9046f5a6ff27d0c933eb825015df30546d26f0dd375b7a0abb7fc438436d9ea526ae5

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
120KB

MD5
e3040aa78c18aab56e14fab278cd21c7

SHA1
c6a13556f2acaf613c97a46817b00d519e8e043d

SHA256
23a277f10a3d3f0c3c9d6d1638836b4c0be0549cc0f0e1b915cf220615efc2f9

SHA512
b138df8d0565619c7f3e27084dd72193849a9b904af01693ee2b302e35e3e439cfa76a3c66e02f657e418ecc6418085ddd8a72c181bc49ea5a0a49efcc63c789

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
120KB

MD5
75a729fcb0fda01168fb03d17f8e1e22

SHA1
7ed6732f0ec7f64aa6a5b8f9454a1da4bd2ad753

SHA256
cb9dd6e384f7d4a6ce1bab538c62e0158e30f8783202bcf2f0dd1319206d2baa

SHA512
09624b1081f0ba4b91cb794323277f49ef7839f10cbcd12c8ac34811aed3f2d3090624fecd07f2643e20466c438979ba15f796cdcb763efb83f15f2bbf6dabce

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
120KB

MD5
b30016d0bdc0ae22dd7fc0ab1f7a1ff6

SHA1
3e7aeed449add8f99bf1c10a7c3982d23e86798a

SHA256
268e20302df0e9ee1f496fa8d4d13a876d1cd3a54594d5f77ca259ff444bf8ff

SHA512
d57198df876813b05c85718976f297b56181c1da828cda55cf159c1047b0e2c1c03ee7eec6dcb89cbd9c877c48b33e2447f885f4761270067807ae2afb55bfb8

Download Submit
C:\Windows\SysWOW64\Kojeoiop.dll

Filesize
7KB

MD5
b3a9eff087e63fc32e27eb87b9ac35d7

SHA1
6e9ab50eb22d8cce2eb10747e5559eaed7cd1af0

SHA256
aafe85123cd26c1a26e6fe773f8db0c13c5bc998703ef00eca63665bab3f331f

SHA512
dcba708d6494a13cd49925b88e0d6dc949dd84acac504e93d8328ed808629f285e1713d4d5bdb6abf44380e5609e61805dc0bb0629f96433ec48cee54f249a3e

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
120KB

MD5
16cd04229b7fc1cfcbca2bbb255d851f

SHA1
ef548add3a7c5d534fca09c3c19c2d94e5fb7491

SHA256
458aaa26f6712b83bd7402336c60facdb75ed2d54516af9e51525cd9558619a7

SHA512
49ff64bf7ee268a07efb0575044266f16d7edfacbd110d72045d729a583d75b81cd992ecad8c6507f3e18f03cfcb981a1efc092778f3f4480a8550c755cbc040

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
120KB

MD5
ef748291f380b21fd8d100516c134bc6

SHA1
d9f98f15aea52fbad0c01b17a1c234bf60839b65

SHA256
319309a9842637067c531e1978914a5ae79ed1f72300af72edbdea9554ea8268

SHA512
d3e80ada8aee6a9e2a3bc6922ecf25313bfe90283a1e5e96b02753e8b89be4f1c95d824b7c79bdca7b7327ae9940f9aa31b7e8c4094348f3d92eefdbadae1007

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
120KB

MD5
4c9e210db473e8217c09bd334b192c52

SHA1
a28f90eec17a60c61fa5dccb1c05ae45462b68e6

SHA256
6a7d78790bbb4da1a381cdcb91b2da467404d9159e5bdc3f2c97ccaaea97cd53

SHA512
848ccaa66c958ceb3e91bed386e5089eec91dd31c5d90db429091f59a0284c14127d0c3e44aac4127c65056229f8954e94a44db3d1b33f1fc89a2c42d4149e82

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
120KB

MD5
188c40127addc81868097c3aca13caa4

SHA1
88f4ba7218c61d36f6b8f1019bb6445e109ad014

SHA256
359df4ed265098238776e519403f8b2cb6e7ebc40ac7db4aab5e481072ebc2af

SHA512
6a0a08676401a2954062ffaeef5b0f48cba02bdd418c25edcea314cbd6db7bb92e731f480727135cc04394ea0f73a4b9860bc7b596b6b12aff6ab1c6669e3d5d

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
120KB

MD5
2f6869b1d6a8aaf3828335c870e43057

SHA1
cc5c62309eed45700fa3f77fcb5cecd3ca6e1c16

SHA256
de27c8f89a9bcc7c0c178e0a93c31c80db61853e08f814de8be998a9af598a95

SHA512
027b573c7b5446e8195be464baf4e33f2a04a41cb16115c747de2dc553794500f745a135d1cf673311f3ee1809d8504f6013ea5531292355d46f3a0b480d44dd

Download Submit
memory/8-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/620-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6956-1332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads