02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990

Resubmissions

29/06/2024, 21:53

240629-1rty5axbpd 10

29/06/2024, 21:49

240629-1ps9taxbld 10

Analysis

max time kernel
130s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
Size

104KB
MD5

2c95b2b9ba80bd2eeb26422c6c21c500
SHA1

87f3cdcbdf3cf0b72a879447cea0a644b51b6b03
SHA256

02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990
SHA512

7d24812f5fb9e55f9698744537cff7ca2b4ed5c93c8cc2bf335ce1a0a946e306985b8b7b2be8267d527974d2b9971a4d7ddb9e425db04ff624f2dcbcf8bd3413
SSDEEP

3072:oGCo6a+dYpdmtAtL3A1fJe5Jx7cEGrhkngpDvchkqbAIQS:pCpaQYPm8L3A1fc5Jx4brq2Ahn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe

Executes dropped EXE 64 IoCs

pid	Process
3444	Efikji32.exe
3536	Ehhgfdho.exe
1464	Epopgbia.exe
456	Ebploj32.exe
212	Ejgdpg32.exe
2004	Eqalmafo.exe
4508	Eodlho32.exe
2772	Efneehef.exe
3840	Ehlaaddj.exe
1480	Eqciba32.exe
4224	Ebeejijj.exe
3320	Ejlmkgkl.exe
3292	Emjjgbjp.exe
4864	Ecdbdl32.exe
2084	Ffbnph32.exe
904	Fhajlc32.exe
1408	Fokbim32.exe
1624	Fcgoilpj.exe
2936	Fjqgff32.exe
2392	Fomonm32.exe
5100	Ffggkgmk.exe
400	Fifdgblo.exe
3592	Fckhdk32.exe
3236	Fjepaecb.exe
3684	Fqohnp32.exe
4228	Fjhmgeao.exe
2928	Fmficqpc.exe
2912	Gbcakg32.exe
4488	Gjjjle32.exe
4568	Gqdbiofi.exe
2320	Gcbnejem.exe
1096	Gfqjafdq.exe
3724	Gmkbnp32.exe
4868	Gqfooodg.exe
4964	Gcekkjcj.exe
2872	Gbgkfg32.exe
1532	Gjocgdkg.exe
372	Gmmocpjk.exe
3260	Gpklpkio.exe
1028	Gcggpj32.exe
1268	Gfedle32.exe
2240	Gidphq32.exe
4108	Gmoliohh.exe
3240	Gcidfi32.exe
1128	Gbldaffp.exe
5088	Gjclbc32.exe
3940	Gifmnpnl.exe
3736	Gppekj32.exe
3060	Hboagf32.exe
4392	Hfjmgdlf.exe
848	Hihicplj.exe
4192	Hpbaqj32.exe
624	Hbanme32.exe
1184	Hjhfnccl.exe
3244	Hmfbjnbp.exe
1596	Hpenfjad.exe
1592	Hbckbepg.exe
2532	Hjjbcbqj.exe
1680	Himcoo32.exe
3656	Hadkpm32.exe
4364	Hbeghene.exe
4580	Hmklen32.exe
2840	Hcedaheh.exe
4528	Hfcpncdk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Fokbim32.exe	Fhajlc32.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Emjjgbjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6296	6876	WerFault.exe	268

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fhajlc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 3444	316	02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe	82
PID 316 wrote to memory of 3444	316	02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe	82
PID 316 wrote to memory of 3444	316	02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe	82
PID 3444 wrote to memory of 3536	3444	Efikji32.exe	83
PID 3444 wrote to memory of 3536	3444	Efikji32.exe	83
PID 3444 wrote to memory of 3536	3444	Efikji32.exe	83
PID 3536 wrote to memory of 1464	3536	Ehhgfdho.exe	84
PID 3536 wrote to memory of 1464	3536	Ehhgfdho.exe	84
PID 3536 wrote to memory of 1464	3536	Ehhgfdho.exe	84
PID 1464 wrote to memory of 456	1464	Epopgbia.exe	85
PID 1464 wrote to memory of 456	1464	Epopgbia.exe	85
PID 1464 wrote to memory of 456	1464	Epopgbia.exe	85
PID 456 wrote to memory of 212	456	Ebploj32.exe	86
PID 456 wrote to memory of 212	456	Ebploj32.exe	86
PID 456 wrote to memory of 212	456	Ebploj32.exe	86
PID 212 wrote to memory of 2004	212	Ejgdpg32.exe	87
PID 212 wrote to memory of 2004	212	Ejgdpg32.exe	87
PID 212 wrote to memory of 2004	212	Ejgdpg32.exe	87
PID 2004 wrote to memory of 4508	2004	Eqalmafo.exe	88
PID 2004 wrote to memory of 4508	2004	Eqalmafo.exe	88
PID 2004 wrote to memory of 4508	2004	Eqalmafo.exe	88
PID 4508 wrote to memory of 2772	4508	Eodlho32.exe	89
PID 4508 wrote to memory of 2772	4508	Eodlho32.exe	89
PID 4508 wrote to memory of 2772	4508	Eodlho32.exe	89
PID 2772 wrote to memory of 3840	2772	Efneehef.exe	90
PID 2772 wrote to memory of 3840	2772	Efneehef.exe	90
PID 2772 wrote to memory of 3840	2772	Efneehef.exe	90
PID 3840 wrote to memory of 1480	3840	Ehlaaddj.exe	91
PID 3840 wrote to memory of 1480	3840	Ehlaaddj.exe	91
PID 3840 wrote to memory of 1480	3840	Ehlaaddj.exe	91
PID 1480 wrote to memory of 4224	1480	Eqciba32.exe	92
PID 1480 wrote to memory of 4224	1480	Eqciba32.exe	92
PID 1480 wrote to memory of 4224	1480	Eqciba32.exe	92
PID 4224 wrote to memory of 3320	4224	Ebeejijj.exe	93
PID 4224 wrote to memory of 3320	4224	Ebeejijj.exe	93
PID 4224 wrote to memory of 3320	4224	Ebeejijj.exe	93
PID 3320 wrote to memory of 3292	3320	Ejlmkgkl.exe	94
PID 3320 wrote to memory of 3292	3320	Ejlmkgkl.exe	94
PID 3320 wrote to memory of 3292	3320	Ejlmkgkl.exe	94
PID 3292 wrote to memory of 4864	3292	Emjjgbjp.exe	95
PID 3292 wrote to memory of 4864	3292	Emjjgbjp.exe	95
PID 3292 wrote to memory of 4864	3292	Emjjgbjp.exe	95
PID 4864 wrote to memory of 2084	4864	Ecdbdl32.exe	96
PID 4864 wrote to memory of 2084	4864	Ecdbdl32.exe	96
PID 4864 wrote to memory of 2084	4864	Ecdbdl32.exe	96
PID 2084 wrote to memory of 904	2084	Ffbnph32.exe	97
PID 2084 wrote to memory of 904	2084	Ffbnph32.exe	97
PID 2084 wrote to memory of 904	2084	Ffbnph32.exe	97
PID 904 wrote to memory of 1408	904	Fhajlc32.exe	98
PID 904 wrote to memory of 1408	904	Fhajlc32.exe	98
PID 904 wrote to memory of 1408	904	Fhajlc32.exe	98
PID 1408 wrote to memory of 1624	1408	Fokbim32.exe	99
PID 1408 wrote to memory of 1624	1408	Fokbim32.exe	99
PID 1408 wrote to memory of 1624	1408	Fokbim32.exe	99
PID 1624 wrote to memory of 2936	1624	Fcgoilpj.exe	100
PID 1624 wrote to memory of 2936	1624	Fcgoilpj.exe	100
PID 1624 wrote to memory of 2936	1624	Fcgoilpj.exe	100
PID 2936 wrote to memory of 2392	2936	Fjqgff32.exe	102
PID 2936 wrote to memory of 2392	2936	Fjqgff32.exe	102
PID 2936 wrote to memory of 2392	2936	Fjqgff32.exe	102
PID 2392 wrote to memory of 5100	2392	Fomonm32.exe	103
PID 2392 wrote to memory of 5100	2392	Fomonm32.exe	103
PID 2392 wrote to memory of 5100	2392	Fomonm32.exe	103
PID 5100 wrote to memory of 400	5100	Ffggkgmk.exe	104

C:\Users\Admin\AppData\Local\Temp\02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\Efikji32.exe
  C:\Windows\system32\Efikji32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\Ehhgfdho.exe
    C:\Windows\system32\Ehhgfdho.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\Epopgbia.exe
      C:\Windows\system32\Epopgbia.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
      - C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        23⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        32⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        38⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        41⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        43⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        48⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        50⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        58⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        63⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1600
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        67⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        70⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        71⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        72⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        73⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        74⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        75⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        76⤵
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        77⤵
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        78⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        80⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        81⤵
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        82⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        86⤵
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        87⤵
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        88⤵
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        90⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        91⤵
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        92⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        93⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        94⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        95⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        98⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        99⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        101⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        102⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        106⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        107⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        108⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        109⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        112⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        113⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        114⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        116⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        117⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        118⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        119⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        121⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        124⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        125⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        129⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        132⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        134⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        135⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        138⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        140⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        143⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        145⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        147⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        149⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        150⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        151⤵
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        154⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        155⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        156⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        159⤵
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        163⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        164⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        166⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        167⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        168⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        169⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        170⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        171⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        173⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        174⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        175⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        176⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        177⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        178⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        179⤵
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        182⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        183⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        184⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 412
        185⤵
        Program crash
        
        PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6876 -ip 6876
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
104KB

MD5
e3ff545943a5afbe75797a3d257131ef

SHA1
e7f085dae321164458050a0a6f6b64cfcc9bd1e6

SHA256
234f83c7ccb9ba209d2169aed519a2d22572ab11dd7cd755d342e9848fa5490f

SHA512
10f4d2ceddfb76454ec2d911271cdac8a0c719e64943e619f4630d960ca4b3d2b16b355f4d093fb3ccd0b4a5bfcb3c0888c0f3954d93d852965ebecdee2071fb

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
104KB

MD5
4273d0529810f82faadcf62fe6ea5816

SHA1
96ea2b40096adb4d4515a44403ff7f920b7d3cf7

SHA256
24e151e7b5381e3851565372dee39c1eb2aa5d32ccc0e5e9c325e2e6d1865ac8

SHA512
7356eb7289ff785f818d28edac5b9e517dd011c9d25b8d02a15b0edeb6ea89352fdbf2f603d9ee908943a603278ec4d9b9a93b8dc1c4a287e28edad84070e1ae

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
104KB

MD5
6eeb6ce9a8bee55085a36ebbcfd7404d

SHA1
220fe793f7acedb067877630c2f44706d8d050a1

SHA256
4459b7e05345fe3f48b91e4d832f31eb210d34654817a8d5fd11aa29b0f51f88

SHA512
096b432b9da73a1f15caabb1ca59fc8366f7e391d9f94740175613c6c01b2c8b412087f0e6aefd49a38cc453b7509404e2c2d110f6208ba018ec504ef00a20ab

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
104KB

MD5
288336ec5dd253b77bd580f4bef8ec61

SHA1
093b7e2b0384d42f7b6a8e3c276301178729e710

SHA256
ebd7f813ac666359e4d19636e5bf8cdb768a820ebe0ca30ede3920db24619d56

SHA512
30ad20c41d20cb527401eecedc2036f6e16e4bf124a303585c64e14512f1d46f1444815e121463217d1f9bb4fe74c83dc15c9102b0f35830c4e4e9e0c15d4c3b

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
104KB

MD5
9e2cff1b64a19afc729ef8f6e117a3c2

SHA1
c0f4560529b01d74d6ab35791105c28d9c23a7cc

SHA256
8a1a702467f1473edae24447829f38b1e6b6ed841edf769b3123652aedcb1527

SHA512
27b59ec8ad71862b84d543d24103f79e4369e70c6d17c203aa644009d25f424d1acaf38c3486c5659b36d54d237669416f28c10b3f7242a84768937f6b954dec

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
104KB

MD5
aaec7aa6405a676d357480388801b9ed

SHA1
d9ed4166acb8cdd84f39b9a137d4e040cc05ab12

SHA256
3005ca52c2555ae058e2e4e922744152b2770a6e96676a86698a921168f908e5

SHA512
3835a178a3085d0b9ee1b53f4faafd5eb4cddae0c21180bb078eb57179c0d366193eed56cbdb4146bae33b0b2b2acc0b34c67e1f079a1a6397ab06bdd3cefd8d

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
104KB

MD5
3140761b93edd05510c40736df0d0a13

SHA1
19c154a9d8fc7f114be5e2aa318d335a70d0eda3

SHA256
962235bd6d7a96727995876231ec3c900f83562ca9a8f667e31c14e04c5b0e31

SHA512
31fb2c4e042d00f94636b32858e9230091b1697d3c644d2ea2c89e4ba46b0613e8dec1a898908024fe96bf19b8fcebc56bc169c4969996e78f9b85ab20c50a11

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
104KB

MD5
a29efc7d8312f0654f5d63956af548d1

SHA1
79785440e0bb974110285677314325d273bafd84

SHA256
8eaeca4a155b367be33df60d25d5beec028d6649cb951704a90a01c6f498c417

SHA512
baffc3842539ea5668450b74048041b1f2b33de41c5fe15352b6f877055e5b31876c4d17a564e82da629dd2684224533d8b837e182f582cd9eb1b6144367ee07

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
104KB

MD5
1196b0e574b4dbc80175e50380c0d134

SHA1
b07d4dc315637e12bf0109e49993d0064dcf7df4

SHA256
39c80f10687581f00fd65a3eb903a8ce6c18df51c05905ac0256b9115e0f3e14

SHA512
f2798a0ad88ec02f9270a3eefc108e5d0e5752b95afa62a9e7257cdcba03c38d097a561a27ffd9bf3706bfa40f478d7d462dc783888c28c836f54c2ef89c4693

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
104KB

MD5
74cd6c879a81bf39386f3f2e52ec17cf

SHA1
805d4cb54e5ca5a1013258f9f68a798fbb719b3d

SHA256
bfdd41b972a346a8384ac8ca6f6b0b9303f35e8c89b5c7021c40b4778323944e

SHA512
ebe2b608b3b1d682ed2349a77461bffe3af51c11135eca6da3ddbf6be339ad22b8e3bd6cdc13accf30d1f1f922c1f5f862e1863f8645a021e395e80b1dac6898

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
104KB

MD5
12a936ec0641e8396038505c2649052c

SHA1
eca18771fbdcfc3979a236d5a7cc50fea43660af

SHA256
b8656b10e59661e8918627aa60828de055a41edcaf7c6d5af6c26bc227ec1f33

SHA512
f7fcc1d4669b3ba8b718def683ff7a58cd74b3ca3711c8a4d7ede6c39bcaf38a8208a626756e9ad2c0333a7042f589e27b624c22faac751bb7d3b1a53e5a8c79

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
104KB

MD5
f79c92a822862c820b25f7acb9432266

SHA1
d12f058baf12f37bec11a2ca6bf310ed7def1ddc

SHA256
fcf79a67ed440d4a3cd93655d6ed5bc9f768ac49df2e4f5b63f165dcd7260679

SHA512
4f5b5ad723f866dc1581088b41a48c29ef08fbbf5b9339dd1947ef392e95d30bcfe05614ea2a502a19fa169d9f61ab8addb4e452707d9c2faa86a302cf079b2c

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
104KB

MD5
2ba0f34e730c54b1565dadcc1b9d166a

SHA1
46c4ae83b8aba926f72eb01cfd4fbe30d9ecc12f

SHA256
f272a4b8dbe36c4bbdf455444f4b2b7559cdb5ce92570cc55a4f374eb787178c

SHA512
ee31c920e14a450bf0e3103c0012c7619d4a6d06681ea41498d28aae9dffd670664e4a5710b2347815721ec9ebb67174b3b78b5e3a9aa3c2a07cf383e2c7d6e0

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
104KB

MD5
b3dd37f775abf5c84e8bc930ebac7d58

SHA1
570f7df747990282d5140768308bb5fef341b349

SHA256
46f376727d855d6cc28f395039f92e4ca369f12a253b0524de85215b059772ce

SHA512
50bae18a541ab8f08e6114de54858caec267a77fb17f329223e82c2e6afb8a284cb2dd35e6b715c3b9a4b43af62c3511677652d454e98aa1f40619a146ab21c0

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
104KB

MD5
777bc6a66e0cee173b6745c946d2e427

SHA1
6b124c5816e2a667c6a9c6d74b5bd855cbd96cce

SHA256
746b88d8d1631668dc21e795f0eb6511673c73d373fc19c9ce95706cfd39251f

SHA512
d87cb9b4a57427cb09969a716de16c867eb0c50405b1ae151d869aeb09f0f7949a63c432ac4b6657099386ffc049a61e8dd291cab2acd1e10d0e9da06f7ff157

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
104KB

MD5
fbb7f7a9bc9215fed8e48192a0069310

SHA1
3c0492574c8a50094f16e6bd5163c678bc3d19a2

SHA256
e54634d937e5181178914b44571c4b7af329315bc2d5abf82344e667899e7bbf

SHA512
f8b7f74687de680d9ef91f248bab07eb094df1abc240522c4ec7777f58cd635e877aeccc61eea59d59d54ebf51b91c11bfe0b1ddefa7a91d7c469ada45f6a81c

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
104KB

MD5
8047831346edefe905faef45cefb9fd7

SHA1
95ce64cb9aaed57d465fca2f757cb53f61561185

SHA256
69b934df9f6d0c2ea567bf6d9e5260224b18c6629e92cea4fb09f7781955166c

SHA512
3ee968f6ad26778fc4ffc3485cc26c06dbd7ba708985f427da50db53f1c0d5806ad3fab92ad6e648249810dc997f3f714c9a74ae20aa508e4c396e4fce477d6c

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
104KB

MD5
9d2cf11acda6547936e20edd97ee53c9

SHA1
4cd42b6e77491a8c9470ddb8398be6eb4a186fb5

SHA256
b86bd04a60524b751ba219d2587446e47fe9e3cf7371a55a7affa8eb062884f1

SHA512
0cf2f643ce0a63a1f85c0e5aa78e44e76fdb30a19bec895679e62554085ee411805e014db887e0cb20aa93d5a0945c103fac060f1834d279f518c1721087cb16

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
104KB

MD5
c6fcc3f3e5698805b9250b01b5231443

SHA1
2685f9f033a06472e30f3888cbcd6c1ab26ef85e

SHA256
1456f15aca2a1a6a5fc0d03ff4923f446483c3a564806c690b6568c06957bff0

SHA512
53fa6aa48852e9e1f58eb929242f74a9f4dd2e1cb79ddcf1a4d03dbe3b11f24b2d3ad248d073ff1e3e136e5f93dddf6dad12647993a7131a311c31718c24b97b

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
104KB

MD5
23d92bcaad51aea9219f80560777643a

SHA1
62a36bc005acd0d2e34f348fcd4208ea389e43f3

SHA256
4ba4c1e8c69adffbafdac2f070f54f4e98c6bc66ca4c1a6f634eb5ef2b0e6ecc

SHA512
840e03477b687eb50aaa1c848c2859088299710614755f8fe44b2e9fb0b7b661ddd1f86bffabad782de1499ea446284bc6610f48c48fcde4183189cd29417fdd

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
104KB

MD5
591b4b2d2c074e4f4149e00f470d3d27

SHA1
97dfc0af753b1c0652e6a20ba8dff794c4d61f5f

SHA256
12487fbc21de88a8fdb599564d0ca8e5b4d340ed720976072c99d7f321861a2f

SHA512
cc5fe21c7d12717e08ac5fb1ceba5dcabee9e4ce9c5c9937fb76032edb958ffeff79f48de66f256e04acd33098c8ee0fd2759774490d603af7768690273d9eed

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
104KB

MD5
c5727670b4e249155a512750184a4a7d

SHA1
6ab46085b060d49da8b268ea9c11069929def591

SHA256
8b60ddf799c548f4aca3a6cded88248ea9ce5dc9d83eee0e6ee91f7c2bab6df8

SHA512
4a579f07982944f50a9f035ba5fa6851c17c670f16db1903d7d65c30ab0500c9fc577be26063538526e7589545878ca8876c7ea8fc8a92f5afb28bccd884904c

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
104KB

MD5
444d9f65a25c3d5dbdc59e4e59adc2d1

SHA1
4abf1ccc6161070037e3587497ce2db57252f03e

SHA256
41f47c634f13edd6ffae2f4612ad0176f2ce6d1537c97d3682f719ff439bed77

SHA512
d3ba12c3b11c07393b477c9ed8c6f6bb7798119f12a3c2614b9162ef7991f2935b27a1ee45da3e9d8113ca556d6f32e61f1728f5c2b0cfcc2f91bece4ecec654

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
104KB

MD5
f23bed869dee3038ba88ed5cd4aae575

SHA1
612c389af9eb3590a01e4fc65235ca7a04ebadd3

SHA256
55e6e04fa205af3dd21e5bbdbcf50370f6241e1346f903c24a8ea7904a4d579c

SHA512
940cdbca375b1badb717cb8b020e26238a0639f9f7f48c866c0ce7c3d8eaf6b592a53cdbe282807dafb13d75b0834cbfb7f697c9a4b1480dec07341d00e09969

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
104KB

MD5
8e8894faab006d9731ed2e5ab0048038

SHA1
f77d4a61fd8ceae3a5a9f3d153d282e3c60fe5ed

SHA256
03ec0bb0748bdd2ef4e94c623898cb67b8680dbe1cbb62203a26b0b768d7f8ab

SHA512
c6e3982fbe691f673d155f554115bbfc67981330661312ebdf0980fa95946b37b000b08b2583de99aa09b79a471c88ead3a396d6277dfedf05c53bddde468965

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
104KB

MD5
0e170edca2d01612cceabc980818e08d

SHA1
d6ba8dbae26ac91ff7f67e186a5f2d242aa76c89

SHA256
afaf8ca9b6ba1fb8503061f1baadd1530edb183bf4af4586c195c18c725a87a6

SHA512
a02a28faca57707c6f5e308a019db2db3f2e6cf446e196ac58fb03da53ba59725678be3e8450f5ee96ccf96023ddc6faeac9d1957c92109ae73ccc7a0c3c7388

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
104KB

MD5
ab585f1c6dc2a757d16e3899ee418c70

SHA1
21b840d136d5f0f6db26bd627d339dfadfc8862b

SHA256
e5a3df0cc44f31e12351ca8d4237ce5cd3f35db6714bc16dd516ed142a292853

SHA512
fa00d47fa823e1c75c3f77e1e6d59c1e35c8b120fa51e72a89c982f3362d78ac8d67f96373843fc1580826c2fa1e49ca9de2d8840e25265b673edb7eddfbbab7

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
104KB

MD5
62632578fbc1ba1cf450f6d5d0efa26e

SHA1
8c604f8bd6325c500daa4f6379e6ca5f9355df5a

SHA256
4b0230cbadeae1cbc71487ca044f82b9680c619e5ecc5505df1ac48eb2f2832f

SHA512
8e10b766bcaaef1cc984a397ce9573cbe3930633501357b950c3fda5a172635dcc0a7ef69c0eaf635cc04ff28673b105f25b7d6a868f86e340130064f5039273

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
104KB

MD5
0dd68b8c8da7f9ed560597cea7fa2216

SHA1
610c78bee415caa98ef0337f199329e4f429026b

SHA256
7d5462dfc3cf8eb4f7575ffeecf75b2aff52e96f72af401844e33fe4a20956c2

SHA512
f58654c08457d15f7ec9a72aa2ca39ac0f3e4154b17b2a8326ff38dcf44692f8d5bbd2a0732dc09c37972cdff6d32054806802aa5ed790ac6e6e56a0a72b1cd6

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
104KB

MD5
ce261145ea0d81c28cdd8c5812d2b1e2

SHA1
e0a90c2b2edae00a971716f2e6bf8b5ccb5fba36

SHA256
e85fe5abffa8594d346e82ea7820a07cb9469b3a0e4f3b5a13d89a12a43c1923

SHA512
e131e9a16c3c62eb61dee9e6a5bd72e3492af7c286d56b8757c1c1395fee15fe517c5e26cd1cff521f07875d88e3b34a0dbb950e624b9cbe812207e05eec7391

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
104KB

MD5
ef9b9771227299724b45d6f4f90d4c75

SHA1
ac0967866f7a01e522c3eef7a9f8a7c686cb5241

SHA256
e72eed9a6d5592a65302c660c116967ae84b766ecfaf210e508509bdf79a8159

SHA512
d9f3f41b770bed7f06dbbd02e13207c9bbbb8927f732c9acf90a591462cf4c94acf748561eae574b9b643f82019341e3ef8042ab7d228ac8bd4871aebbbfe3f0

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
104KB

MD5
bca61f6ecb717ba924f77b932e12de39

SHA1
a4ee6a8b748e6c9fba6f0fc5f1f2fe1d716391f5

SHA256
60e8ad3c28d070885c7f9e0ceec2156c5ecb454b2b04bf7f7447a783779f2e0a

SHA512
23351bf2901f075064c232a1aab369cd5cc70d0b44c062ef2beba6edac073e0e7b905eda80f0fdd56872060952501f03805d032c0572df56e4b0291fe8abb58a

Download Submit
C:\Windows\SysWOW64\Hfdcbdnc.dll

Filesize
7KB

MD5
276bbca0f5aa82a8e362bd0923b0a226

SHA1
ad54739662ab10923405cc937f5c0b0735e76408

SHA256
95fc0882533f3d145271c4d3a3c98f68970de1682cdb31c3d03f78920fde9baf

SHA512
7cbd4374e9eb509d54d6b5a9e5e5eec23d4abb825adf180bf0dd315a83e8331e2683c0b0490a6c5b758416b58e0ce2f0368bc387acc2cccea8069f2eda17736f

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
104KB

MD5
02b73993be2881ac565b335ce22f7e38

SHA1
9fc593cb134304b688a91634234d6a773304ab0c

SHA256
87da6dc7912f18b80b4241516fadf5637023e7c906be901c8d52637eb1e631de

SHA512
bd4665a93ec2ac3be10a851ae40dcba6341b0ed59d353d7557d19f9c0ce75cb96b86c879485dd9acec75c85b7886ef1e0c8a552172eb2af91c45d18c4cb43ce5

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
104KB

MD5
175eb763ccbd7be4e41b96c49fe2f854

SHA1
13a0d15c59797bc0ac49b7cd8b093a53218fa5be

SHA256
fad06e1c2a7bfc27fef40128a8ef17d52133326e7fdae5b5434dfa1b6a6f8e8e

SHA512
c960e00c49409e0c094fa382ecfad9507313dc4c22dd810b2c8728f96826ff14552424be60257e586a5a2a26b1ae618b00368fd72440652b2e67d7ed5a43f55a

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
104KB

MD5
233e0c0760e7e45293ecbdecbdfd181b

SHA1
a57e20250261c313423a2c461b5da530d16f78f9

SHA256
1544631577c74c143045780b2f773d3e2ae6224543dabe7c0af076a680d2ca0a

SHA512
68984fa2ce2028b92ed5a4a6a470a939abf464559db73c25a794ceb1a720fe7be410ad453ac88593584ae6d0d30d467af5886a8cd8546cd92a1b101d9483e480

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
104KB

MD5
2cf747ff0dd25ba52d2436178b02ed71

SHA1
a7f91c4e3f299d84656e661764a48a87398057b3

SHA256
9c85e47aa73ee3ad319c870cec79c666610acb8b13ae7b115816255dc8d59f61

SHA512
44865aa75e8e07c7481e987cbb19141d69c666e902f75d374544c16601fb23ec63196e7db41b2af1ea690acc870559070928cebf98e86767107585be505798cd

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
104KB

MD5
d1bce42fd392af21eca8ace9d4654571

SHA1
a78f63adc8220c91a8f57aa5bc0e2fcf46225f53

SHA256
54062ee1856ee95af60d8e15cc226ea50f8a1655b2af4f0cede067c3d743e969

SHA512
0c852384e104e0e2779d4fa9601e37e94c6df487068b5901d767ce47e756a54852f6731cf3d393badee798bb8880d137c7281aa136193b82d958e552712e8d5d

Download Submit
memory/212-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/212-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/316-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/316-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/372-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/848-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/904-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/952-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1184-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1268-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-571-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1680-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2928-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3004-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3088-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3260-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3484-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3520-530-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3536-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3536-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3568-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3592-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3840-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3880-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4224-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4228-211-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4392-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4488-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads