a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c

Analysis

max time kernel
51s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe
Size

63KB
MD5

7fe8719ab20171f95061b62df91f1630
SHA1

9a812f5c599fe1f3985b9335a647bc9a9998176c
SHA256

a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c
SHA512

80941c5818449dea720a3147a6d14f33a85c8e328c02312817c4247febd2f008682c67b1e16e30f29b87fe7cb3171e28abb2f49e300440d27a98dbb6741be6c9
SSDEEP

1536:fTqsTAfVOpSaoNLYWPyBxsfnkkDknmciFT7P8J4DX6fl:B2T5LTPyBxsfn6iuJMK9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe

Executes dropped EXE 64 IoCs

pid	Process
1124	Efgodj32.exe
2932	Elagacbk.exe
4820	Epmcab32.exe
4656	Ebnoikqb.exe
4884	Ehhgfdho.exe
4524	Epopgbia.exe
1176	Eflhoigi.exe
2400	Eleplc32.exe
404	Ecphimfb.exe
1904	Ejjqeg32.exe
4588	Eqciba32.exe
1932	Ecbenm32.exe
112	Ejlmkgkl.exe
3200	Ecdbdl32.exe
3740	Ffbnph32.exe
1216	Fhajlc32.exe
4740	Fokbim32.exe
4184	Fbioei32.exe
2552	Fomonm32.exe
380	Fjcclf32.exe
680	Fqmlhpla.exe
3172	Fihqmb32.exe
2376	Fcnejk32.exe
3268	Fijmbb32.exe
1924	Fmficqpc.exe
2612	Gbcakg32.exe
4908	Gimjhafg.exe
3192	Gqdbiofi.exe
2520	Gcbnejem.exe
3148	Gfqjafdq.exe
4068	Goiojk32.exe
3988	Gfcgge32.exe
1828	Gmmocpjk.exe
3980	Gpklpkio.exe
4628	Gbjhlfhb.exe
3328	Gidphq32.exe
5036	Gqkhjn32.exe
3640	Gbldaffp.exe
5048	Gifmnpnl.exe
2772	Gmaioo32.exe
3996	Hboagf32.exe
1772	Hjfihc32.exe
5056	Hmdedo32.exe
1476	Hcnnaikp.exe
4300	Hjhfnccl.exe
3628	Habnjm32.exe
4680	Hcqjfh32.exe
5064	Hjjbcbqj.exe
980	Himcoo32.exe
3060	Hpgkkioa.exe
2952	Hbeghene.exe
4104	Hippdo32.exe
2168	Haggelfd.exe
1972	Hbhdmd32.exe
3700	Hmmhjm32.exe
512	Icgqggce.exe
4636	Ijaida32.exe
5088	Impepm32.exe
2340	Ibmmhdhm.exe
2536	Ijdeiaio.exe
3176	Ipqnahgf.exe
4456	Ibojncfj.exe
1504	Ijfboafl.exe
1756	Ipckgh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ejjqeg32.exe	Ecphimfb.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Efgodj32.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fokbim32.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Fokbim32.exe	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ehhgfdho.exe	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5960	5820	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 1124	3732	a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe	80
PID 3732 wrote to memory of 1124	3732	a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe	80
PID 3732 wrote to memory of 1124	3732	a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe	80
PID 1124 wrote to memory of 2932	1124	Efgodj32.exe	81
PID 1124 wrote to memory of 2932	1124	Efgodj32.exe	81
PID 1124 wrote to memory of 2932	1124	Efgodj32.exe	81
PID 2932 wrote to memory of 4820	2932	Elagacbk.exe	82
PID 2932 wrote to memory of 4820	2932	Elagacbk.exe	82
PID 2932 wrote to memory of 4820	2932	Elagacbk.exe	82
PID 4820 wrote to memory of 4656	4820	Epmcab32.exe	83
PID 4820 wrote to memory of 4656	4820	Epmcab32.exe	83
PID 4820 wrote to memory of 4656	4820	Epmcab32.exe	83
PID 4656 wrote to memory of 4884	4656	Ebnoikqb.exe	84
PID 4656 wrote to memory of 4884	4656	Ebnoikqb.exe	84
PID 4656 wrote to memory of 4884	4656	Ebnoikqb.exe	84
PID 4884 wrote to memory of 4524	4884	Ehhgfdho.exe	85
PID 4884 wrote to memory of 4524	4884	Ehhgfdho.exe	85
PID 4884 wrote to memory of 4524	4884	Ehhgfdho.exe	85
PID 4524 wrote to memory of 1176	4524	Epopgbia.exe	86
PID 4524 wrote to memory of 1176	4524	Epopgbia.exe	86
PID 4524 wrote to memory of 1176	4524	Epopgbia.exe	86
PID 1176 wrote to memory of 2400	1176	Eflhoigi.exe	87
PID 1176 wrote to memory of 2400	1176	Eflhoigi.exe	87
PID 1176 wrote to memory of 2400	1176	Eflhoigi.exe	87
PID 2400 wrote to memory of 404	2400	Eleplc32.exe	88
PID 2400 wrote to memory of 404	2400	Eleplc32.exe	88
PID 2400 wrote to memory of 404	2400	Eleplc32.exe	88
PID 404 wrote to memory of 1904	404	Ecphimfb.exe	89
PID 404 wrote to memory of 1904	404	Ecphimfb.exe	89
PID 404 wrote to memory of 1904	404	Ecphimfb.exe	89
PID 1904 wrote to memory of 4588	1904	Ejjqeg32.exe	90
PID 1904 wrote to memory of 4588	1904	Ejjqeg32.exe	90
PID 1904 wrote to memory of 4588	1904	Ejjqeg32.exe	90
PID 4588 wrote to memory of 1932	4588	Eqciba32.exe	91
PID 4588 wrote to memory of 1932	4588	Eqciba32.exe	91
PID 4588 wrote to memory of 1932	4588	Eqciba32.exe	91
PID 1932 wrote to memory of 112	1932	Ecbenm32.exe	92
PID 1932 wrote to memory of 112	1932	Ecbenm32.exe	92
PID 1932 wrote to memory of 112	1932	Ecbenm32.exe	92
PID 112 wrote to memory of 3200	112	Ejlmkgkl.exe	93
PID 112 wrote to memory of 3200	112	Ejlmkgkl.exe	93
PID 112 wrote to memory of 3200	112	Ejlmkgkl.exe	93
PID 3200 wrote to memory of 3740	3200	Ecdbdl32.exe	94
PID 3200 wrote to memory of 3740	3200	Ecdbdl32.exe	94
PID 3200 wrote to memory of 3740	3200	Ecdbdl32.exe	94
PID 3740 wrote to memory of 1216	3740	Ffbnph32.exe	95
PID 3740 wrote to memory of 1216	3740	Ffbnph32.exe	95
PID 3740 wrote to memory of 1216	3740	Ffbnph32.exe	95
PID 1216 wrote to memory of 4740	1216	Fhajlc32.exe	96
PID 1216 wrote to memory of 4740	1216	Fhajlc32.exe	96
PID 1216 wrote to memory of 4740	1216	Fhajlc32.exe	96
PID 4740 wrote to memory of 4184	4740	Fokbim32.exe	97
PID 4740 wrote to memory of 4184	4740	Fokbim32.exe	97
PID 4740 wrote to memory of 4184	4740	Fokbim32.exe	97
PID 4184 wrote to memory of 2552	4184	Fbioei32.exe	98
PID 4184 wrote to memory of 2552	4184	Fbioei32.exe	98
PID 4184 wrote to memory of 2552	4184	Fbioei32.exe	98
PID 2552 wrote to memory of 380	2552	Fomonm32.exe	99
PID 2552 wrote to memory of 380	2552	Fomonm32.exe	99
PID 2552 wrote to memory of 380	2552	Fomonm32.exe	99
PID 380 wrote to memory of 680	380	Fjcclf32.exe	100
PID 380 wrote to memory of 680	380	Fjcclf32.exe	100
PID 380 wrote to memory of 680	380	Fjcclf32.exe	100
PID 680 wrote to memory of 3172	680	Fqmlhpla.exe	101

C:\Users\Admin\AppData\Local\Temp\a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a0a2d5a070e675366c236c2910af2fa7109535d9ec11f0264d58c9299170431c_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\SysWOW64\Efgodj32.exe
  C:\Windows\system32\Efgodj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\Elagacbk.exe
    C:\Windows\system32\Elagacbk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\Epmcab32.exe
      C:\Windows\system32\Epmcab32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        33⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        47⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        48⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        50⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        51⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        52⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        57⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        61⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        63⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        65⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        66⤵
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1724
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        71⤵
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        74⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4572
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        77⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        79⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        81⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        82⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2144
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:552
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        85⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        90⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:508
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        97⤵
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        98⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        99⤵
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        100⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        101⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4808
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        105⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        106⤵
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1384
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3392
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        111⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        112⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        115⤵
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4764
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        118⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        119⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        121⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        126⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        127⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        128⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        130⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        132⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        136⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        137⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        138⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        139⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        140⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        144⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        145⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        147⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        148⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        150⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        152⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 408
        153⤵
        Program crash
        
        PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5820 -ip 5820
1⤵
PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
63KB

MD5
a32c5f589d0335fe44273a41ed335fed

SHA1
9299f73c45c5983b231783b2ea25d81638e274b6

SHA256
d655408c9b7873d81e9b37c43d9381bf86fedb01a3cbdca69e08d22d573e2b9d

SHA512
23e5043203f8a469db00b94f8077408cd59c0d0aa9c3f93b4a85e1e856f5b77b3e2c51f02b2efd2a4452daf6cf2e7336a3c5cd7ca2d7c17707fdf78b5b316f22

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
63KB

MD5
f74f2ca8ab37ad21325c41485f71d970

SHA1
ce2e03fbdadfe55844c40d1263d38060c1255b09

SHA256
5c16e238ad4e1865dcf217be13553fe5cc91caa50d95e03e33515b262164c15f

SHA512
d2c3cef10a78af8eb7096897a351c881106912322a37d7ce5b36201470a70c476a95b367cda0b0b81af6f1220329dae9eb3a2cbd9338cdd3a9c69137cd98716c

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
63KB

MD5
92bb46ce99982981c47c025371b42144

SHA1
31e555f4da5e18a990b0ff5497dac657dc7cf877

SHA256
31f613aaad5ba3a3d1e142ad20a6193b0e9ebd81b411531172dcf83b24388f35

SHA512
73991a8b830b6066c5830522e94c658d88671afffb2e5823b7ec761d5076e1d87a8b21307ec06a5fa1bfe93879d9139856e5ceb76e911d8e496b298285752870

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
63KB

MD5
f5f59db51c8b7cdc08c0ce6a2d5e5f8b

SHA1
7f0405fe650ac290a9023ced171888d06c97a3c2

SHA256
6efe9d5a660e3638591f2d1202dc802741c5008214da1223ef6b0da1a923a3ed

SHA512
421fda11a276b8adced50050c4fbe30b5ab913afdb150863b013871d5118fb6edf1e2518bcdeebf4da399f9bc6c370b5a594703b74f58eab424a408f379de088

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
63KB

MD5
2187b242ebf02837fde8f83190e0eab5

SHA1
b9c8953e88a6abe5df77936982873ffcf3d42fad

SHA256
8cf7b5fd8b642db2ce9bdb0ce12cdbce7865e2830b24199d5d1ca95903ac119c

SHA512
a709035dcf2768d1e90bacef0785b927ef42247928c174aa07fa0fc309c52d97c3ccb2a2b34c2257580e9a68915d55682df0aa1f71d76c2ba2d5fc7a998d95a3

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
63KB

MD5
52de8872d088b443526e94675f7006fa

SHA1
12cbb98191bd39d6bd9761c47b7599a3d6b090ca

SHA256
2f3bf1622a8fb3c22a6306003370525e65dabfa3ff672a020a9cf7b13b78a941

SHA512
675132e7f1f36f25aafc3e884a5d65881e634eac7179b5e663823687d7660fb92e7f5313f8708d96724e7c60892553c64e5c2840c149ab5c6a91a013c09f8b75

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
63KB

MD5
854d303e06b22ae6e0dc8c793fe2ed5c

SHA1
d361f063a772b5987c381a89a1209999325fe32e

SHA256
9b4129aef9fefdbc81c1fd538d20db83151d25b8e39a7271761fce3bafb36d5f

SHA512
f8487c37c62227720a52e82080cc63d49010fb7d6f4b4e3268f5d6892036b9372a85361bb5f2aa7fde7938095c31007a31c5e2468f2636f3a8a35b23edb55b4e

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
63KB

MD5
b152e2560db1e76040affd4315625fd2

SHA1
565a8a15cb221b3c60c0944fc1307748117b6f35

SHA256
7273b110a87c445432334cf45544e44ac90f7ab42a56aaea5530620bae69966a

SHA512
052b053eb0343541ca39dcf8f502300fe688dc3e957001c54c7f528a45b75d97eac31375b7a851fa20a8a2e18509fe672e9cfd01a40f0c06e379f023bf7943ef

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
63KB

MD5
e8f7a93b5167aea4a1952ebc2141b141

SHA1
4117eb779d769b36854c787eada34be701ed67be

SHA256
c55626c226cf4958de9a928348a16999e83705d1cf7dc53c30ccc59ce5809337

SHA512
51444f2f3ffb8cee2d0d32ed19d75054d806294fe01931a93d6933864b7bbdf5364f35a7db5844a7e32d7b4b6f57f260a670753eb8459c0ce4547690db2bb74b

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
63KB

MD5
7b83255240ba7dd6c76dc5341719d017

SHA1
338ef6a889e3f77fbfcbd99327adda332a1dac6d

SHA256
ada514aab75794ab9dbc477d280140318ff2095fbffc53312c18ed135e608fab

SHA512
33632a2ed9f39ae45842ae209fe2b80504709cbb7c7b674fb3d9e1b7c958c135dc1200aba5b31099003abd48a0eb7aedb9ce49a1d5e8fba83ced9e54eed84814

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
63KB

MD5
d39cffa9c823a56c9afedb42285b3b35

SHA1
65a8ae343f3e52a8ed1c2f5371482022a8ef0291

SHA256
515fd94ff625bde07f068f921f8748c9119a4ce3423bd9c53d9912403b56dd54

SHA512
e4de9333c641037e78ce9480cb7a0f256697ece1299cfb1a3c8064fe244ca974f62718db3a7bee5680f8a062655297b6e547ab0808f1b2e24dd2753bb1e727b5

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
63KB

MD5
24ba7e2cf3324e969d14b39a985306c7

SHA1
a7f8b86227fb489eb3c26eeb0979ea701ccdc9e8

SHA256
20486183295e8fb64aa5015a1b928fe53b4d5178925bf7ca8821ce13625253ed

SHA512
afa897f3f0623fcb8a388c9168535b3cff8de7ce137e026894d4922339086b527b3466054309dc914620c6c54718e1a97256043632bdbbafad12185d5ae2e3b7

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
63KB

MD5
a3fd52d6e67798a0ab2ddba9cdbe20c8

SHA1
bc7cef345b623caf93e1f5eec59d2ced2ed58c54

SHA256
02f24629117b7988d5d77debd10fbd5626797cc3597679265502e9e2fd6a0c3b

SHA512
c649eee6b368b69335244a7bb3fd1d84e0caec351ea709d7b1bce5a458f36038f8fe5220905ac4ac90a009df03c0207eee72803f902fdb5703d12a5162fb37b8

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
63KB

MD5
c704df8324d709ae2986ec057a650557

SHA1
24841076a87c8f1dce966fbb6538c321f7dbcd69

SHA256
1c692a7980cf883b90a7a3b1ed4eac9af6e44060987afe58a2047f12b0f0fd30

SHA512
c6ea3bfdb3614c7a41d668467bd7d7796eae57480a51f6067cc71ee71f2930ef95a847ddf41f0a563cccbe37fb31b80a77a185e33027811eef099f7117e399b2

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
63KB

MD5
f2459ad49835764fa873f9ff105d2953

SHA1
bf32d13b04840c46dc6665711deaaff6130f45d1

SHA256
32339a103f470dd5691157a5d2e0e469035fef648dbf56963c0c4385820144a8

SHA512
4bca63c6227b6ddf0b6175b866d25c56a8f7c8f76e2ce136aa686bbbf815f7f85f81eac12c71b4467b1d9a9a2489796f91cb0e211dc45477e63432272f423659

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
63KB

MD5
0ac616ed39d3334955ab537bdc273a55

SHA1
3c68ed1b59eb0acc951e847b40179e1fdb856ce4

SHA256
c5dbb64c0de294bbbcb2a21c0e9e256320ddf695f1b575d66dcb2fb86164bc37

SHA512
90455200a9e62427ab523e1a22f5401f3b6b7774429ec46ac78369b7fcb04811d5b759a7ee570e877907c3700014ade4f63800dea35348274754b666b6881fee

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
63KB

MD5
4bc77f01606918da1d4ad7daba21cb17

SHA1
383db6e7aa3048a4dcb226f4c40fe391060aed33

SHA256
00b83a011422be6a6b83cfb53fe7c61320bfb26ec8bebcad9937728c73b354d5

SHA512
607b07f101c6eb8f449a8e59107389b53c4c5ba2c9bba6bb71cc18dec130fcc7122a94ad53b21db8e60d81db05bf0b248885d5014a795c7cf46768dc89e991d5

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
63KB

MD5
30ce1300a59cb1438fed830e3b8f437c

SHA1
e6d3dcf6863ec5487d637673043b5e7d407d083d

SHA256
14872e1d6814adfb1f2c7e25af9d0b4ebb892c5c251ca8a5fa2341a15f56a8f0

SHA512
9c8a6556a4ccd56b262c064de3000fe81edaec365b6ab63919886a41d421ebe4817ef48fbc6a06dc730fe03fd943c7b13e7bddd2c8557e93f99b7dc0cada1fce

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
63KB

MD5
14404759265bca3f9ef2b28705d36d26

SHA1
c0faa356d46c41e07b646f398fc14f3275363ba3

SHA256
b92ba32860c7550740e9427a7996f8fd0a4cf485b6dcdcbe73494ca44abcae8e

SHA512
64377fc70ca7bafa176e97e347248cf4a270003aeb886dfdb1bbdbab8670bb69baa943d0c17477ef910aa5475bcc8196004e84d793ccec10dac934503d99aa66

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
63KB

MD5
7b9c5e211d39118b63f6bc848d896f90

SHA1
e1004d680baa8309a8ee95fa27cf798893f835ff

SHA256
faefb34000eaa0e3eb192ef009f0ce758024a7ab6d46e4ce3fc386ab3138b1a2

SHA512
9f45212e6c0af99c369b5799fd17ab5804d51a07cf31cb8e9740d300e83e105bb63ffc62cd52e9e6456275386371268acdcff65da0a608141296fd55eec9a8e0

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
63KB

MD5
435b29a06c5055df49c683a273c5d28d

SHA1
b884d997cdd0b0df3aa02d0ee874ab813c028a19

SHA256
27e002dadbd85bc062f79fd2eab7a0d660c518fefa1817b76f89a89766fd437f

SHA512
175a80e97564156e644b51ec7e1741cb58797dd19b02c106812505a2f7a3a2d2c138037cdc9f4096ca3327c1139669f6cd8c51265a667203d1788ffb110e2fdd

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
63KB

MD5
aad8c32e36f6925cb3a49e2592decd1d

SHA1
f08e4357ccb293de8cc7194261a235593bc9b3f7

SHA256
bb46bd7a8a1b5a1bd8a46c5772159b69c69362e03a62f805cbf02a33e9d003c4

SHA512
06983ff45079a30da186f3949e9fdb9c68d6ac45e85141bc7b0f382e9394f452c9fa0827ff07ddbe7b41d3f94662b9a09d0c38445048c43de4d63ef9e7f5d2e4

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
63KB

MD5
665d920eb75c91e17a543f6af48fee4a

SHA1
d3c8a524d343d2b1e992947fe205623987a447f2

SHA256
8662a60f57c127d832f1cd54356b6396a91839c8ad10f4b4165bc94bba1b85e6

SHA512
4b826354b3ed56ac12758854e7d6a1c504f5ae269d144e0dbbab8cb86d64d6a0d6a49a543f56dc9d0ecb0021defb999184953144846dfa29cfa553da62bda582

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
63KB

MD5
ff01ebfde5e9eeb741437772ae2cd8eb

SHA1
0e6f58d148f6e36ccc5794db6d29c9eb57c235b2

SHA256
37b61766850278633d9ba3cdaa9d4755aac854aa72733566013a58696dcd15a6

SHA512
5e64c83f404c43f0fbb2be26105891e1142eb7134282609a7d6bd211385676732999f25e942f42208795c72ec6fc560eedfbf50dce5c242c356a721828e0dd47

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
63KB

MD5
5acfd66ed16165414aca7bf84ede0234

SHA1
6b6b27de188789781755a5384e7e916e8a8db262

SHA256
10cd2e267be4d9db20ec2fdde3582634116782ede49201ced119c6a9f413bc92

SHA512
404a76c202976d1711e7f93745b77ef935e0108faaae8c78504328667d8ce2bf2135818d4f35c47ee94baf86d5c3ceae9df65e9dad4258d1c68509894f4932e4

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
63KB

MD5
7c560dba51e93cce158563a8d9e4d17e

SHA1
ce920b3f9d0d2251f3110da4f60c34c6fd15426f

SHA256
dc5f492d62b9fc5d664f6375777f25b953ab58331150b5e9fd262e85cda8507d

SHA512
4a63b85dd591476ac7aaf21c7beb2d4c4215851f0f16091b8c3e0b2f1e83fc500ddf3010a9d942b667d72a06c68675195d1e8ab6a9859a7f8131e07cf3989be8

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
63KB

MD5
51a21390bd01f078d76ee4d067c6e724

SHA1
1f9c839b546e38b3eb19628b1ed8ee05ee5b9b73

SHA256
15642b2a05e0f017a92bd64a3541f545fb365fccb00245caf1dce1b215b1494d

SHA512
a754373c8db77d82e91ebce52483f1a26fc771235a4faa03ef8340361a54d4f4ed6b3891849aa42c986d617784f99df38364dda21efbf5960cdea9158e434149

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
63KB

MD5
a141a4afcca73e31e27635096b9b8be2

SHA1
837e29cf3b0e51dd4325fd2d02a780ede9d1f1c7

SHA256
a040712aff203247ca64ab678c36c972e1ef9aa852af0c25ea4cbe34c23a52e6

SHA512
1a2881e2e77081c06866c398814d71af461209d8a703fe5e7434f97a8bdbba984fb9b6e18818ab62ac70321b12310023793422f33656b7b263c41112a410025b

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
63KB

MD5
c649b32c4a19de692305112da418f639

SHA1
3e008564f647ac6237a04a58b609b8a71062aa3b

SHA256
404bf45de8909d7eececc9fa69ce8e3b5136e01db504b6f0a36f5a9bf3603979

SHA512
d10226ec1ec0d00021448b8aa8171556bbb66338c6e17bb3a438f51c7916c8f8b3845cf8180893dac306032fef1ddb479d8bf41008757f295a42dd593c18957c

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
63KB

MD5
6933cfce2d6c03fff9a4bda2df90a7b3

SHA1
ddec194e32efc9821f0dd2280d335a6202e6b47e

SHA256
1f096987eca395f785050e14738fd3d8307abe319bf8fa88860a4653777278e2

SHA512
58872ec75b32e262b63c76f761d25d69604c3bbe3cc9fcb7796cefcd03960f8093a5ce9020f6651ecf3d440a04d9ca14551052b8de59644b55d12339950e7992

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
63KB

MD5
6ac4fdb9caade53390124f75415458b1

SHA1
64801cf08a6b5c5eeaa52418b8d1c6e0d704aa57

SHA256
ea5cc3ff87116e8941122e793f3abbee35edbfc55ffe472339d1fef8767d0613

SHA512
5cacab0b12511609368038eca99ad8893fa1ba61b663daab4f6f471deef8169389772976a8cfc98c141c04afda8db2ce354338e03986e3532fdcef5db88b8c52

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
63KB

MD5
7241f9a07b351bfefa9b97064549d3dd

SHA1
7163fca7bb08a55c64efa6ad96dbf1e50ba4338f

SHA256
dd0f6eb8241da9f444a52dd79282c4aabdebc11d0d18988b03aee958ee29fb9b

SHA512
fb40db84106df15132cfec17fce27e766acd7d1a32f09ba57de16333e1bff690d8ce173881dcadc57cb4448c316864da19443151aa80af4407af797c041d3d97

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
63KB

MD5
082a0956a87720fb395b24977347dc94

SHA1
484b40aaba82f45b777a26c70490590685591a83

SHA256
0fe760684116ed03ca092a674c12285150b53b778012193ec4ce02c600ec1ba9

SHA512
6178f1791db6672cd2842b5b0c018b1a63039a5215c3aba7502344d5bb1d36523e32260b94f7bc3192c32e9d2ae8bc4245cd96adaef3111f015b0f639e2cb453

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
63KB

MD5
cd134ed1878d1aba9865928e9a34f372

SHA1
da476dd807d464a8768b59209b4b7aaafcba738d

SHA256
598757d89cb239ee97d1dda06748c9cd2278a0aebdd71e936d4821d22276c306

SHA512
a04c166696c349d78906d45b7f17d25141db2983017a080288e9ba7cf76b0ad8117596e3f02fa8dc76b64ca1cd7aa0fbfdc473433693e1b322e62e2a3dbaf7cd

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
63KB

MD5
8664edfb1d0be8b361833617a3da2d5f

SHA1
ce04cbe1f341ca2415c0d9a02aa92323fdc1aeac

SHA256
974931adf5130f2ea7818dbb7d189428362a6fad3d368a9ca7a6382ef8f50238

SHA512
2510148b8dc5740eed034335a9ab27df23b6156e8844fb6b05ee43c90e32db90312159e976b756603cd7717617fbf52bf28c78f2a7c4689334b6020cdcb8738f

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
63KB

MD5
2ea8b8cb189e832fcc374cb21948465d

SHA1
5f81e66ee7915a68e6c6d0fd05e8e8b9a30b45a2

SHA256
fc799fa9035010eb7c8e20069153af1a82b49b56678d13279a55960aa2286ce6

SHA512
1e2f71ed3561948266f242c5c2e8e2e45f865b4d9af874b2c433d3ee7e761c613ceae9c7f16b88d037ccef7f9deba285173d21d052683c7e5e6131d28c2f1878

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
63KB

MD5
29570f2d3f01ba1c248d0a5ae2124bbf

SHA1
4e1a907c7dd81ebf9cf89df2d1a4c5d3c4098205

SHA256
3d8dc10730ebf5698fa783fb30bfdff78d536634e5a7c0874d3d474b07f4b3ce

SHA512
98cb5de8df84126142d5d726aad5e5dde8b604fc7aa6dec28ccab7e2e913adcc47e9b5f30af93250f4a99417cca2d167d14aaf6dee8cb30315906406f3aff363

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
63KB

MD5
4a00324ff575c4d28b8ef406927c81d6

SHA1
e06d63338e4d4161dc4c9397ac8d45433d27d04f

SHA256
2cd7cabc8fd0f6751ea814bde78a794428076fc98cb5d6d63139327918aa12e8

SHA512
1360f8e25f642d4aeb5760d69ef89a0aa4d5620145ba4f52d945258e9a1615355ed67d66e22fbfa373ba1c2d71e34427ee3c19a3c8c1570cbff9f623b2302aae

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
63KB

MD5
eb81925bd2e47702cb2a451976ce0b9e

SHA1
f58d85c34eaca6168e14e4d4db5b4f39db8f7e42

SHA256
19dd2b97d0d2e3ceecd223bd80437b75010edce90d6fed6b1d94229c87916787

SHA512
7335d5ff6dcdb62c095bf340abc14c9859d9d0a2f3b3b7e80a853b3e98f4fa0de0ed61f65dd57f489264637a867252fad85f07d65318791941762efae90da00c

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
63KB

MD5
f53d16a9c7292dec3074d2565e887ecd

SHA1
a3297d267bfe82b6319812059549a798926ec68a

SHA256
5368d7f4bf6e9f3d547301d9274edacf7771d540754fe13b24efae7dc9fe535d

SHA512
95ccdd2ec775b5ec621a6009df5f945380e37798f28ba97e04df08b9daa43ecd94b0eb256486113461dee910d0a694f04510f86b0f8f05a42af20818907ee0f6

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
63KB

MD5
dd8b47aba9c2683c50ac38f38e7ede91

SHA1
9f86f379ce4af2d24a6c415e64a6564ac409dc7e

SHA256
a169bafe724af29c72811b771e2641aa932e036dce911f16a5a33c54bba600b1

SHA512
bfce0e3706bc664facd95c58df3ad87762f19dc80ac473b61786e6627b2885b64355b17b87f3b45254a2afef2fe2d9e0638a3920716b8fe908fd0ef4d7572ad2

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
63KB

MD5
689d34315e77be09e8b1eecfed1205f3

SHA1
441374c42d8355a8e319848ffe6d06e692f8cc98

SHA256
31ce518a33d076fe29592a94d668397ae40c2bf46cb06331803cc9b2583f339f

SHA512
05192ba5c6bdd96b56e6ffc73c72aa512a321269c1696db55dc1b24db62794564885b2189fdf3feb491cf9f6ee18031516f19dd66127251301f5304bd9b07ab5

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
63KB

MD5
71a4771e28a4d4c4cc9845a95d5d9793

SHA1
3092cb59f6475723e1d8f9749069ebd055447503

SHA256
2961caab11ac4d18e16badf9a37b8a9b582a12da3791dd9309c1527f81f27033

SHA512
f2226136ff028e0241b3eb4a4a97fae33cbee518e39bfc1c6a6c48c2fbc79fc487216db1751c2cb848253b4334c36be1a5e5eb369fd0079172cd026dfcc7fb79

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
63KB

MD5
9ab7a410d1b77186010968baab11baca

SHA1
a279d2eaa7e49334b9a066b8e30389a0decd5def

SHA256
4dcf435c3d7e0d1c27b15f5bde6d7e2397d3467cf3b348f8f5d32c67322f7c72

SHA512
9b26077550d85ec39a2d25f292afa424f37c02113dac7241dd03aa45a07ad780dd2ec9de86d92b811164c7e9cdcc1ac33a5808314414c23d2c1faaa8bd91e74e

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
63KB

MD5
7a7bee37e6ae323c6b7aa3cb5b2e526b

SHA1
0eb3cb6de3eb5ce0fa847b455d2995a38ba70cc6

SHA256
39ded5f04b4b4f42a0a38d1a89d1ed056a2533486fee94e42b5503767a360c63

SHA512
62dcaaa69ef9649b9c905889ee1a4cdb9b90486acbe5487b4724ab2171df166c1dbd500c70a8f9f5b9ea46115731f3f77ffdaa5d629785d77182402b8f1b1236

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
63KB

MD5
8c2c9e7666fb36c2003e4274946fcab8

SHA1
ed78b784474b2a5516164bcc145d7948bd07ddaa

SHA256
ef5f68e34c48cafb4d252e8419a5459552deff72ad71417a8059c2a0bfec3099

SHA512
5916646aca78f4f4ba2547502cdc024fbcace4bd30492b5eed77ac827778d9f56d2b5f11ac7252a2973859c662f3248ce1a9cd492c8b7ad5108f48d12f1ae725

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
63KB

MD5
c3d27443574cf92e608ff79b74474f3a

SHA1
c09adcbc4b16a1a9e899c317b88bae4a8a3dfb8c

SHA256
27587326a1821d98af944a16fb23a576b1bd0cbc48f589922442dd041805b152

SHA512
b008d5226410111cca419c41d384b25445192a762ad9f8fb8e09a70d056e49f835b116f3d0831d0e7ce57c6354db1ac42d86af2677a032b4f174d7b98ad3bc49

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
63KB

MD5
17ea455c2216fe036ff744bdb039d04b

SHA1
5907d756bf764b0591342aa7b63778a238ac8dcd

SHA256
65af6c8a6e312eb8581913c44f8d8f5af8b79d02c49ddd322ebd70b7df559f18

SHA512
e013c086c8bed905464f8701120f8281bb756e305b186a73249b06d0d2dd7e7aae0ddf675c1972a1600be94f43b452392fe5cf36a23aefb0222f036885ac40f7

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
63KB

MD5
6dae87730e2fc44d0ea2621c409c6d4d

SHA1
7f55f31df91146f5a0f366d55fb78817be4798b1

SHA256
ba3d6cbe203bbafb105de37b577be4fdfa6e079bd53327a6bf10fb364e363593

SHA512
acdd3339b5b9f4864bd59bda5b9e316fed899ab2639d9833762c3c6ec9fa8f566e8a1df1da7fe6bddb3f46720f796651c12d00781f9fa830d4c9ff43b87bbfb1

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
63KB

MD5
f4b78872a00d53f70de239d4335e0a87

SHA1
6f364c2a7d4579740cc9ea46f357eb573cbc625c

SHA256
74d69debe1c10d8f9184c0c2039c1250c8f2f1cf432df7adfad9ebc65de8fad4

SHA512
474a411a7ce0822d39e0cda5e8cf4ee14427f357ea88141d7b2078edb436d75dd366065c9a67172162fb7e3a19ff25fb8ff3e7ab41988b7589ec9d06d0068638

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
63KB

MD5
8403354cce121f8ca2dcde1c6b640c6b

SHA1
34c521c48084a95ffb2df3de75ea65b5c70c96f6

SHA256
e65aeef9d4535136eb3c0417115da92204e48a28adda0574c88199a470cea257

SHA512
4ff4098d0ce4991942912cfcfb7a8d90dab07807a649d28bcf7832851133602407a0ba7e0732398a0643f25138c3e9c1ac4e26cc6b0a1f81ce132d042d939e69

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
63KB

MD5
fb3ef910a9dee103f9c3542880f55464

SHA1
296e1983bfd3e7377b5bba35115e4f6cf8744f69

SHA256
ed9f41df6899853784c346dc2905c062b61a72eeb299d1e9be971598004ada32

SHA512
94d80526c10b58a9321fad7a99bd4aa8f6fb7de67adfb532887743db2d0dac103db99af26dd6b1a9957173eb313d830f368f638725de7c8af5b776400bfd65f0

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
63KB

MD5
719503153873376ac85a465c67c0a81d

SHA1
704be96968db52dcda834eb21de5c51263b53fc5

SHA256
190a7c982bebb0303029532aacd1de8de4d73626ff3e0f3152d51c5064972f45

SHA512
667e6ff72069407c68faf6e9457461e01172da229d85e494e2bbc31fd003337e9dba6fb12e0c74e6b4c648df163dbc90bf774619337a7a0584348b42d10c6b22

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
63KB

MD5
24466a4b7263e19aad254bdd330c3556

SHA1
7587b203cc4816785d5616bbdb9df65fe2d9a651

SHA256
9aa18a4693c8cff6e841498f0a8bed0d646e1aee452578c331928894081a2b0b

SHA512
44f76fd4075b2c61dae59190bd3017b3394af4a0280d0de63769b6a21b833e43fa851ec1cb4009dabaa18d7fd04ec43237c1fbcc845663de8d3f3ea31af541dc

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
63KB

MD5
ff1da73233695e90bccb85ed05028dc5

SHA1
a8a80ab32a8553c380b5b89dc8bc973ebe7f9149

SHA256
93ad9e8f4ebc2668170e5d7d6663707a118f25d33447d00d0fc7997216d24b50

SHA512
33ce45c8f6f97ed4a9d72fe7e7368f358fe7fcfe8db658ef7102491a83cba696cbb199fb305a59c36d12a96c9de571119df21e9bc8843f4eed619a2a9c370b39

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
63KB

MD5
3ff907db8f2cd14bc673e9aa9f52a5fd

SHA1
406349b807b0a5dae3cda1ecc0c4665c5cfabf53

SHA256
b1ebbdac98e97216db61824638e57acd2c1ada5538e03ee99849999f52cb1ba3

SHA512
be67c9c85f7aa0a89b34373ded56bd3c8e09c26655a3ebce2e50de6507bc887b4a454ecaa3b665ab242d28825546c876585793d851dde3fe1c1050e4c6ae4d99

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
63KB

MD5
ff49804f8eb12ba81cf1decb748ab24a

SHA1
7f8835eb66c69b33910744575ff9f8ef2a783528

SHA256
07cbd77e920c2b367331f91ffef1d397b9432d6489c146b4d677ec1723d86499

SHA512
9441715f4ad7b8b8dd4bfeef66803c2ef813d8403ef8f691dc668cf86a7215ce21612a8f5282ad4b5e5720c7a6f32d8bec5968b1ca6376cd4115306a8591327a

Download Submit
memory/112-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/680-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-1093-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3200-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3740-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads