8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d_NeikiAnalytics.exe
Size

89KB
MD5

8474f07e249c88552ed0db90ec3eef40
SHA1

34f08a8b0c3b5e30db9d8325e1b41b3cd95fd4d2
SHA256

8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d
SHA512

eb6c86b3ed4fe8e3d95b15147389ab0092c4d20ca11dab402ae288bde134bd9c298f1b97f30b417d2d6ea6df229bf9d6368c208ccae7431f11a66b17b6fb6afb
SSDEEP

1536:0z6W4ZCvsaQ+ygB1mofd+2CpGC/CRqPcClExkg8F:025ZltdgBxf02CjCQcClakgw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe

Executes dropped EXE 64 IoCs

pid	Process
408	Epmcab32.exe
4424	Ebnoikqb.exe
4356	Ejegjh32.exe
4860	Elccfc32.exe
4268	Ecmlcmhe.exe
2088	Ebploj32.exe
1216	Ejgdpg32.exe
2092	Ehjdldfl.exe
5048	Eodlho32.exe
1768	Ecphimfb.exe
2432	Efneehef.exe
2872	Ehlaaddj.exe
3536	Elhmablc.exe
1744	Ecbenm32.exe
3264	Efpajh32.exe
3764	Ehonfc32.exe
3300	Eqfeha32.exe
4756	Ecdbdl32.exe
3816	Ffbnph32.exe
3724	Fhajlc32.exe
4524	Fokbim32.exe
1712	Fbioei32.exe
808	Ficgacna.exe
688	Fomonm32.exe
2688	Ffggkgmk.exe
4760	Fifdgblo.exe
4900	Fopldmcl.exe
636	Ffjdqg32.exe
2452	Fihqmb32.exe
208	Fqohnp32.exe
4908	Fbqefhpm.exe
440	Fflaff32.exe
452	Fmficqpc.exe
628	Fodeolof.exe
1476	Gcpapkgp.exe
2520	Gfnnlffc.exe
788	Gimjhafg.exe
2228	Gqdbiofi.exe
1364	Gcbnejem.exe
3380	Gfqjafdq.exe
4544	Giofnacd.exe
4896	Gmkbnp32.exe
2468	Goiojk32.exe
3960	Gjocgdkg.exe
1208	Gpklpkio.exe
3936	Gcggpj32.exe
1996	Gfedle32.exe
4112	Gidphq32.exe
4888	Gpnhekgl.exe
4260	Gcidfi32.exe
4848	Gfhqbe32.exe
2540	Gjclbc32.exe
2212	Gmaioo32.exe
436	Gppekj32.exe
1516	Hclakimb.exe
4352	Hjfihc32.exe
3752	Hmdedo32.exe
2344	Hapaemll.exe
2328	Hcnnaikp.exe
2156	Hfljmdjc.exe
3088	Hjhfnccl.exe
3556	Hmfbjnbp.exe
3016	Habnjm32.exe
4064	Hcqjfh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fihpfl32.dll	Eodlho32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Ehjdldfl.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lkakml32.dll	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Ecmlcmhe.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Bdghlnlo.dll	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6340	6888	WerFault.exe	282

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffjdqg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 408	4180	8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d_NeikiAnalytics.exe	82
PID 4180 wrote to memory of 408	4180	8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d_NeikiAnalytics.exe	82
PID 4180 wrote to memory of 408	4180	8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d_NeikiAnalytics.exe	82
PID 408 wrote to memory of 4424	408	Epmcab32.exe	83
PID 408 wrote to memory of 4424	408	Epmcab32.exe	83
PID 408 wrote to memory of 4424	408	Epmcab32.exe	83
PID 4424 wrote to memory of 4356	4424	Ebnoikqb.exe	84
PID 4424 wrote to memory of 4356	4424	Ebnoikqb.exe	84
PID 4424 wrote to memory of 4356	4424	Ebnoikqb.exe	84
PID 4356 wrote to memory of 4860	4356	Ejegjh32.exe	85
PID 4356 wrote to memory of 4860	4356	Ejegjh32.exe	85
PID 4356 wrote to memory of 4860	4356	Ejegjh32.exe	85
PID 4860 wrote to memory of 4268	4860	Elccfc32.exe	86
PID 4860 wrote to memory of 4268	4860	Elccfc32.exe	86
PID 4860 wrote to memory of 4268	4860	Elccfc32.exe	86
PID 4268 wrote to memory of 2088	4268	Ecmlcmhe.exe	87
PID 4268 wrote to memory of 2088	4268	Ecmlcmhe.exe	87
PID 4268 wrote to memory of 2088	4268	Ecmlcmhe.exe	87
PID 2088 wrote to memory of 1216	2088	Ebploj32.exe	88
PID 2088 wrote to memory of 1216	2088	Ebploj32.exe	88
PID 2088 wrote to memory of 1216	2088	Ebploj32.exe	88
PID 1216 wrote to memory of 2092	1216	Ejgdpg32.exe	89
PID 1216 wrote to memory of 2092	1216	Ejgdpg32.exe	89
PID 1216 wrote to memory of 2092	1216	Ejgdpg32.exe	89
PID 2092 wrote to memory of 5048	2092	Ehjdldfl.exe	90
PID 2092 wrote to memory of 5048	2092	Ehjdldfl.exe	90
PID 2092 wrote to memory of 5048	2092	Ehjdldfl.exe	90
PID 5048 wrote to memory of 1768	5048	Eodlho32.exe	91
PID 5048 wrote to memory of 1768	5048	Eodlho32.exe	91
PID 5048 wrote to memory of 1768	5048	Eodlho32.exe	91
PID 1768 wrote to memory of 2432	1768	Ecphimfb.exe	92
PID 1768 wrote to memory of 2432	1768	Ecphimfb.exe	92
PID 1768 wrote to memory of 2432	1768	Ecphimfb.exe	92
PID 2432 wrote to memory of 2872	2432	Efneehef.exe	93
PID 2432 wrote to memory of 2872	2432	Efneehef.exe	93
PID 2432 wrote to memory of 2872	2432	Efneehef.exe	93
PID 2872 wrote to memory of 3536	2872	Ehlaaddj.exe	94
PID 2872 wrote to memory of 3536	2872	Ehlaaddj.exe	94
PID 2872 wrote to memory of 3536	2872	Ehlaaddj.exe	94
PID 3536 wrote to memory of 1744	3536	Elhmablc.exe	95
PID 3536 wrote to memory of 1744	3536	Elhmablc.exe	95
PID 3536 wrote to memory of 1744	3536	Elhmablc.exe	95
PID 1744 wrote to memory of 3264	1744	Ecbenm32.exe	96
PID 1744 wrote to memory of 3264	1744	Ecbenm32.exe	96
PID 1744 wrote to memory of 3264	1744	Ecbenm32.exe	96
PID 3264 wrote to memory of 3764	3264	Efpajh32.exe	98
PID 3264 wrote to memory of 3764	3264	Efpajh32.exe	98
PID 3264 wrote to memory of 3764	3264	Efpajh32.exe	98
PID 3764 wrote to memory of 3300	3764	Ehonfc32.exe	99
PID 3764 wrote to memory of 3300	3764	Ehonfc32.exe	99
PID 3764 wrote to memory of 3300	3764	Ehonfc32.exe	99
PID 3300 wrote to memory of 4756	3300	Eqfeha32.exe	100
PID 3300 wrote to memory of 4756	3300	Eqfeha32.exe	100
PID 3300 wrote to memory of 4756	3300	Eqfeha32.exe	100
PID 4756 wrote to memory of 3816	4756	Ecdbdl32.exe	101
PID 4756 wrote to memory of 3816	4756	Ecdbdl32.exe	101
PID 4756 wrote to memory of 3816	4756	Ecdbdl32.exe	101
PID 3816 wrote to memory of 3724	3816	Ffbnph32.exe	102
PID 3816 wrote to memory of 3724	3816	Ffbnph32.exe	102
PID 3816 wrote to memory of 3724	3816	Ffbnph32.exe	102
PID 3724 wrote to memory of 4524	3724	Fhajlc32.exe	103
PID 3724 wrote to memory of 4524	3724	Fhajlc32.exe	103
PID 3724 wrote to memory of 4524	3724	Fhajlc32.exe	103
PID 4524 wrote to memory of 1712	4524	Fokbim32.exe	105

C:\Users\Admin\AppData\Local\Temp\8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8dcfdd721ce96cf509b2460b8f0c8e94a9756d9fbc75f250fb6df9558a4f277d_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\Epmcab32.exe
  C:\Windows\system32\Epmcab32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\Ebnoikqb.exe
    C:\Windows\system32\Ebnoikqb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\SysWOW64\Ejegjh32.exe
      C:\Windows\system32\Ejegjh32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        24⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        26⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        28⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        33⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        38⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        39⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        44⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        51⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        56⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        59⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        62⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        68⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        69⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2796
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4568
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        74⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        75⤵
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4752
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        79⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        80⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        81⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        82⤵
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        83⤵
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        84⤵
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        85⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        87⤵
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        88⤵
        
        PID:100
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        89⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        92⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        93⤵
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        94⤵
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        95⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        96⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        101⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        102⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        103⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        104⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        105⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        106⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        107⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        108⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        109⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        111⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        114⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        115⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        116⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        117⤵
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        118⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        119⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        120⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        121⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        125⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        126⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        129⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        130⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        132⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        134⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        136⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        138⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        139⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        142⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        143⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        148⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        149⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        150⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        151⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        153⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        155⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        156⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        157⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        158⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        161⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        163⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        164⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        165⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        166⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        167⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        170⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        171⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        173⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        176⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        178⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        179⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        180⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        181⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        182⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        183⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        184⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        187⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        190⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        191⤵
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        192⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        194⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        195⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 416
        196⤵
        Program crash
        
        PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6888 -ip 6888
1⤵
PID:6164

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
89KB

MD5
05be68c94e09bffe60b4a596a65b41a2

SHA1
9077e934bd8674e1f8891321bcbf6c527ad325ae

SHA256
f2b72fcfb12ebe75f3679fd4aa8033d97a02ec6399dd6069cb9ec32713333968

SHA512
8098700b72e460ec26bd0c184dafae1ac033977c8d682fd8e2f2d4e6cd310f5cae1e4a1fdd907fe9232bb09988f6f138f978f20352a2bdf3f33e98cc4f4c95b5

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
89KB

MD5
483406ba7afc69fb1aeed1a76b0e1e23

SHA1
53364fe1350a3984cd27f3a60a451fe93b1e4285

SHA256
4debb6f976d4e2d9a1aafe329c50627a53d27e4f17b991041a4fda778147c77c

SHA512
19dff1c9cb22c13bb336d7d678d2ad59cba6935dcd98cf5c866548e0c13619e504f94655be36a06eb80c5f73d38dc74b3cd8142e848b413bf5ba73ea73edcbeb

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
89KB

MD5
221e39eb0bd2c35a7d3ba42d46fcddbb

SHA1
7006739d93e65be710094cf63c2b173e931ca615

SHA256
9b5c355644fa3e216265ae7fd039a372af81e444a3a14865a9550d5d0f138d76

SHA512
c12f5ce205a31b0e61aaea1af26dcc97770ac0b14fa3040bd8511510a89dc1c02bfd8a7235812fcfb907cb5b5d278e035ddc8704e001c6886189a041bf5cb1d6

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
89KB

MD5
245e9b2ffe0fdccc41cd2e166f562c53

SHA1
7cb9edd0a6df0383e1dcde3f528d10bf9204e89e

SHA256
ead2fa62a7b3267f859e45cab1982e8ed813dad3b2f8067c5f9991194d84885c

SHA512
2158e93f30d06bb9047670e9a8ca71019a9c49460e446d3a406c6c09ce13a2355a8e03f24ada0d08ae03a01262cb6c89d55cccd7413a67e9ee147a176c5526d4

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
89KB

MD5
c96844c9075e2fc8332907fee6a64bb9

SHA1
dbd89dc2a26926a48e03e027442a0d2027b307a7

SHA256
63d8d97c4eae37589a57665479153dfd35118840354b95af82ff0b5ad4d47d2d

SHA512
6327e5b88cdc2f9e486147a3bd6fefc7f670211f7af5c3c2cbfd0551e9073ca512c5e954fd6f6a0ce474f29a37ea7cd3eeb544b3bfe1a3dfcf6cd7920ef1ae30

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
89KB

MD5
be08baafd6e6ee0ea8afc3c13b9d6b98

SHA1
8f51bbaa67acecfbaa94b0b3d2e8da2604fba32d

SHA256
4ed25bef96ad855911e4c1649fd2cb987e07ee33b94d589184e12f294313ead9

SHA512
149d3c36f05e9c47e5e8ab393e2027132de5135e58d8fb4ddc5b954771d3e509517ed6b0d4dbbfeafc74c40db1780369fd11d84a74fcf1ec0202679e7993655f

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
89KB

MD5
0e5c4a6fc8cb9301e67c81d96a6f52f5

SHA1
7151ea1843328732e422987fa346fe848e68a9ea

SHA256
37ca8b5397b14334a164a67fbf46e54b8abbc174b6a090d2172a1729d7f10008

SHA512
87f03ebd5d324aede3f77a6abf2278d1015d97c481cedf8d74ff52e35c6c3fa7fa52905c8d63122a3c176305ca7a5a92407405766dd1f666f608b205fda38eeb

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
89KB

MD5
20b113440aef7c652fbdfa7863b0d6a4

SHA1
68de219a58ab1c8cddc42f0ff3bb27e055eb4db7

SHA256
436ab2d3617787a5e5fa1464ba100c5a93ba65d23868d33559c0af4c8ca291e3

SHA512
acc184fa6b44a000cbaa9b28d63db1144554423f560277525292d71ca5436599a51904a686ecce913cdb1c9406679e75418ed559606b6cd9e26028c249a7242c

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
89KB

MD5
5ffca6a8139ebee7b1215ca084210ba9

SHA1
4b0a8a4eff6e80f05b3ce9a95f294357c1a3d503

SHA256
32432b95c056067a8fff4c05013a42510cd28d12a85936df997041d3f79f8284

SHA512
93a5ce9a6684e375b31b4e6c3c7d0fe6bc7d6f2075958e82132d2fe0f221755cf9e6a4ab8e3aed621510f4681cb8f0588eb2db170fe7a3823e24532cf5c101f2

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
89KB

MD5
b55dc4f0ec08bccacae9d9ee188f11b5

SHA1
f724f97ec2d8b579754ad98956d9ea3d0cb102af

SHA256
9c3adf3de78e8754ac0154dc4e170ac9c81f49a8861245981f234162036a4103

SHA512
41eacdcf6ec55e92a2c3a5e85ea8ba81344b02431d523ce743c8eaa58a085afb09b5e2d673a94f5984e3a1f9c3808ec9f489537f6765c7578b2c7f12d2c49988

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
89KB

MD5
e544296f260dd742d5cce416c424174b

SHA1
e900084fa7eb77c169bb999e9e2d9812cd1f4f82

SHA256
335c1e9463678ae897210293015ed7dd7af939b0712f491575988aa852986fdd

SHA512
10d811dcd089d21cab1a46e8b27227e797dd5b5b29356fa4e5206acdd181c1614b5ed1c00e182e1c1e11c93ff58f1a0e070e5d2cc49868d8b8b22a04e8d166d9

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
89KB

MD5
a45be3f83857f4265f616886ab26c093

SHA1
b8f1cce9b79bf00171130f43bc0d767b2bf6b7bd

SHA256
e7482a67db44ea79b74a8945701a25656ec29643cd8fa6c5ca98763b63f30dce

SHA512
e06733121ad18004c8f8f54df33fcc7e205f42fae56fef3577c506dddb79d00afe0d9fe2bb165b8a43163922eabf5abc1a6f1ac5563812e1306dc83c737bfd95

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
89KB

MD5
2f2daa72a77b5552981acf711d0f0eb1

SHA1
9ad36ae4ab866dea92347d2ed40a67e2ada514ae

SHA256
2b2a78abcf1a5adff6f4bd4096c9eb3bea8b9d70a78f7f09f7dad61fc4e7ebe3

SHA512
0b2e223e7ff4e943aa03141347dd167d365eab188e401c9faf2c7ee5caa57c5f34d1594aae49a0bd04bdfb1aa942647bc28ffcb77d4f83975d168bdfa3f65b69

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
89KB

MD5
5183969e4d0fa06245983bb24fd45730

SHA1
a58ac4ed0f425fe05382f9a05578f947c88c8c99

SHA256
8ee2a2acd49e025cf13f7a0b8fcba6e4d6135032e5bac094f23a16f6f3d5a8f6

SHA512
2d26a9ff49361cf249cc25a3340b5ab4fb82dc03a34122aefedcb9b37ff8aa368efa96f7600107a4e7b414183a442fce90740c21eda54dba90984ffd9b71b5cd

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
89KB

MD5
59337458a2f46f905c9c07615ba046f5

SHA1
cba3b5b55faf86ef5e27766721cd326fbc9b3376

SHA256
4ec121fe132e3c9f2c5609010ecde3d31825d8c76ca09e1157edd49c6b5364ca

SHA512
348aa524ba454f19a311e7177a398a6b27935af10a248b0cda8d02b76c0a67d90e021ae0990ac47e84d23234a230d0f4583b6a9475c6c31ed5e43556e00566ad

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
89KB

MD5
608c9cfb0fbf8a8b12f91eff38b48904

SHA1
5aee69ee36a944a1361e983eafd94c9400a3c404

SHA256
4289de0bb5fe445d55b6feb416be8438e5d93dd37b819b8f441ed7fda80968f3

SHA512
0ec0fcaa6ac77725dadf438d6f7dbc9d55314ba5db44d71b48d07689cdafc514bfa26976546b2875e0c5f57d80402efa4c08f8feeedc994aefc97cb4f7be7972

Download Submit
C:\Windows\SysWOW64\Eoodnhmi.dll

Filesize
7KB

MD5
9c04bab56c7b6af7d5527fd84a91727d

SHA1
7863cef79ab5741e82ecefd4646e68230d4439ba

SHA256
4bc958a94695c2507c0a9773162b257cadb8387d033acb43f15b08ef7858d51c

SHA512
d3bc7a636be24e9c040222ee58178a2d1061375979fa96ce677aad0715d6c1204a84d2e47f17ba37838db032235b691bd2243241f1d1b39cc3f89a361a5da109

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
89KB

MD5
4081ec8857a83313266bd038bd186ab3

SHA1
f36d714cb558aa60cfa5741933a2b01b660cb967

SHA256
db831b7ad554f0cc594da2e10d97fd1434ed8e20e8ecdbc6a98efd92a32fca32

SHA512
9998b56bb1dd33fa89352e5150d8ca5835773619e2da9c3d56a14069ae202b20f9a8764d78b7d17195f9260f2b8080a810748aab1400db1ddf1645c964485010

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
89KB

MD5
5fd316c22436f5aa8465d5f18ee85a7a

SHA1
fe5acbca30b136a8b2610bf5c9c182b6d287bbd4

SHA256
2021ed8d29f2d83104064228bf5bfbc2090cd9436af3d781ad5f4e2e4632371d

SHA512
a707f06a576c88afba0db82887d54f6f56d94e3335a83528852c5e1c92a989ae0227a07e810d58411685bb8d7de3bebe4d6b26c30b09bed1e578cd78ce9c3d4e

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
89KB

MD5
f1e3e7ecf15a400313fb1f4cdff3ae00

SHA1
fa41d8d89b8748f3e64087c2e63a83ac96c4da35

SHA256
16f6acb74beb4153ab6dbed2d9516355516912aa9ffa787aea9c0a08a34682be

SHA512
4ed87f0d1de01eadacb82e5431f9d0386eec6da97ae9db910c089eea42163d3334516ede6a97edef3629f9d4af22bff642261d41ffcf930874107f4e08ef2c05

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
89KB

MD5
4f81c77a4b031a4ae5268fee92f2abd4

SHA1
88adc1b9bd06c383bfa4363d7a2eea8a9b5c75e2

SHA256
72d7a556f2aa9b0942ad895e13c41573d4088d42e06e181aa0d30956136e1f20

SHA512
fa972f8c1206703d4dc2d71a62e1b3bce494a8443109843a39844a4e06b45a6f9db0f1f36722bf9b2c7b5af6fb5cb0ff7d4f79c136fbdd298838c61e7ead42b3

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
89KB

MD5
41f08ca1726f763ccf8369398c4f7211

SHA1
0702476e08497a03b7317d35f5a0843e00336a0f

SHA256
48bd849425383ede43acbaed9c0ef47afb35bddefb8a48a5aa2b410f61897a0a

SHA512
176ab1db1b626b59cb18e1517e7b9bbb91db90e826512ed345f6d1173f695daaa7549911e800efd91dbbc1120917786de104b2fcdadb5c0719cc68b06ce86f73

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
89KB

MD5
7006e3c8b0d4bd6c5b4473e4966945fa

SHA1
0b3c3ce02874509a28757cc840d21cd06a396a2d

SHA256
8ba88b9b0d956c8eae450ecf7e1217f0b5dc4993ef38dd29abed6743ce921e75

SHA512
88a76d5f38b21ca165e0ed334f8b4fce737f153eedfb014ef89bd8cea5da11645419cef918d7700da044839e384f1e0c66515b33eec4ab6d64b0410d44524bb4

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
89KB

MD5
1424b08aa0094cfc34b003708ebdc176

SHA1
3506dff4cee74c7daf256bcbd40b4774753e4d7d

SHA256
40adfdd1b6f2f03d49d7e77509311419e9e85bb7e8a43e0934c1ee43534e3f2e

SHA512
e5f6fca8682cb99451933121282b0e1a1de0039928233424722c8be3aca0af004f0edccde6569dcfac5665b1da1778fb3eedda6454f1262f20876ed5f52eddd5

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
89KB

MD5
8e8f5a9e53fa965d7852ea92a7d75ab8

SHA1
cafc7583f2a2c599ae87a622469383d85233f3d2

SHA256
9ed96c72254fb05eef6f7c63d2626665c3ea70c32bc945b8bfc1fe1916b1c3bc

SHA512
cfb13ab638305400a9bc0fd9ff9539dd3673dbe6ab4d3efd787a295e46922496eda99460d0f68c2bbe5bc8c00bbe87e12a0e0c1b55d3c5e35d5044e7c8095bc3

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
89KB

MD5
9f9f1b2cc272b10472fbfc49092a3705

SHA1
df50f16a334527050db3ac577e67a77f2c1c1c50

SHA256
4e093cf3570bf72e15774edc45afeb9715a76962044269a0be177d3296debf8b

SHA512
2725a9b5f3e4fd09620c39d35257253af7d590eeec065b4cb2a8766c65dfc8ac1d4eeb64e0f1439ae2afc4f04ebed9451c6f1c658c929bb44241b81a527a2980

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
89KB

MD5
7f65efcab356f7369b43716fcfd7f781

SHA1
0b5c78eb1323d196f4132bb74eac0637c1298391

SHA256
d546c4b66a81117ec70b0ae4ca0c17d1c00e91ac1a3843614ba4ce5b45878919

SHA512
b5d2c890731126e92b7118eca0eb3079c0b61bf0f92ff95245a3872fb7c84342b88d26b0f48ebbd6666e0bd958b3e7e126a92178a098c88b714f91cd7f2c3290

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
89KB

MD5
387f9ee9c22ecae0984e69460694ae59

SHA1
3cd115868e1fc7c0fba979465a2ee9371ec5a5a2

SHA256
859452e8e32e5d130c97ed0e780653da86baf43a3cbe9f2565e05fa0db3a4204

SHA512
52dd0ea847619454f38afa478e3b065bd7ee88261a358b23a118bd4950e71d2c74620045eceed0fe90a84e39b6d88457dbd8e95bf029039ec7229b5e0252a2f5

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
89KB

MD5
270b4521e62e818dfbb8bd7cd9299d89

SHA1
283574e9b747ae6e89985afcf5f1c71f65d94759

SHA256
fe17e1ad7244193f86223797b7079dd1e82052b4929dad81985a98c1af444aa6

SHA512
8698b87e98b304c2a7b1377451e4f25800c5b6daed3437749064fb20ddb415bfbb6863ac76787a4c49c08537bd60cfa633c2c405f93b4b4fbb784ecf393ed778

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
89KB

MD5
06566ab5049fd9ad1534aa604ce52abe

SHA1
5ffddf4493ae6b21563ef346836b8140b2d0cc15

SHA256
8db5bf5c5de9fae2df227b231b7b5f1fc4ce914aace5372778d70d61e41a0d58

SHA512
bdb5ebedf110a387a375aa6d7ff47712a1d4a980ad02c8dad4c923ef667ded4d1267727009eaa66b4f758c40a491df00032438829234f8475595476804deac82

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
89KB

MD5
02fb0b12afc487f4eea3e61e3b08b5cd

SHA1
f101682f721fc5351714eca8d86ec4085048118e

SHA256
fa06a998589772e3cd4d5f2f19e32da420febe1244e48cad484357afaa976b77

SHA512
ea0348fe62ddd7880986a2bf26815bd51c30c70ffbe16561317970df41c307521729e02144d81fff7851cb23b46e5c6285e5a519718fb9a555f4637f0668a970

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
89KB

MD5
2e7adf200255409914310d42e18ab2cc

SHA1
050764487d655ea2ee92cbbcd9c5ca5e0df8ebe3

SHA256
7ec45e3f6d21a6b6e78ce47f193d0be1088c21ce8792221dedcbcf3dbd1fc73f

SHA512
10821fb71ecac14c73ccb2326f7ec39b4aee00a8baf0ef75ed5e8a6bc012a0e79e70f0c59f8156b51c270f9708adeb54854eb015f4bbf692971bc878543e7d85

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
89KB

MD5
34ba54104b5ccda790136d233836b9d6

SHA1
ce41e554acd6813a964ef351a4217599008a43e0

SHA256
e6bb1353efc317a2b02317b3ff4ef145c91a80d633d286415592a545114b6c8b

SHA512
90b4fb058e007255ca8017ae7c3252d067fb7404b46f65bed228afd7f009a1386a7de9b76be7d700d35ff5112581093516dd34e500093cb578d3e500d8218eba

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
89KB

MD5
29f9e31df8736c0e66b16d3ba8cfcdbd

SHA1
aa1e3342f50ea011dedf4628c2fb10bc7699fcc5

SHA256
12aa5db99473608a2e306377a5ef58fd4778d9a65ebcff33a8791bcd695d359c

SHA512
dbd1d54ac41a2655f1ef57d1d833e7a4b1ee888ee14210c9506ad80076cef448212ba509ad54985bfafa5cb44745dff8ca532bfeeb824efdcb4f72393afd0b2f

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
89KB

MD5
409d410dbfba7bc3922812e937196ae6

SHA1
a2b1495d93125779b0ada421e49e00d1276f0294

SHA256
5befd35ecf277377207453daa624e545d93c2df8be3e73f7562398de160b6c3e

SHA512
574dc64dce015ae056fdb03435d50ec637b46486ee4346568f4224cba244067fb8e7df906e36ac0c807836ebf656762c8bd83b45325f24bec5793da112b6fd43

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
89KB

MD5
1911eb9c2a1e2ab4f88a58afee97c7c0

SHA1
e97624b3a3ca8af8a76d1a836117c8d212188e93

SHA256
155243a1624b157fc1a4f06f12dfa594dea275c89e5dbd52b164420d42d750ad

SHA512
016c2d946c3dc76afb76fa90cf4a74190193a75e10a4a67f077594d2fb54d1947e1e7844996aec1635725ed95b64e2f7c93222625890c50def71cb15ced42618

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
89KB

MD5
841194ecd2577cb6285a0734d09af923

SHA1
0f4151d92dddaf5c1204b57607a6610c301cb9dd

SHA256
c0424151fbf631dc6c14f783843d7868963d437f0857772a8613fc166afb3ac2

SHA512
1cc6ffeb2e45f20f0eff977d3d1f6225d75be54869a0b22c5b6ee9a6c2fa410f89acfd852ba1f293573e1214babbb01f86d4954a09d9f7cd4e52795cc2ac564d

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
89KB

MD5
b8dc1302efa796176fe454ad9206b896

SHA1
311128404bb087b85503695769e3427c27a375e2

SHA256
95bed7486e9d2b456c36c74cb66092d5c12120f16fdd9a64277bf603f6368ba9

SHA512
f5375dd74cb62ee96d989326997e79fa8f0c6ed8a44622db48038a4429212d0baf219077f2b4309e4c96a9c52d130e32bf9553af1fb42964ea7d3717cd8b8df1

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
89KB

MD5
4ba04fd7e0d19c60189ae5f839db53ea

SHA1
fabd5563c15510f92a83f4f39bd6157c992af24f

SHA256
7cf5cd68b81e45c9e4be689bbe3ebc87b8d22748786f3edaf8bda98cf638d0af

SHA512
6b726305a2f99792acbcbd2031c6b1d8160e1c3f3e5519b6a62f2aeb695be76968135a1db09d35d357758bfc1030071f71dfa59c6dd2fcb1803b8f2bb61266c0

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
89KB

MD5
a9a0b48b55b947badcdba00248108662

SHA1
8ab93ea61d984993e2ef28b1eec6b92f166f159e

SHA256
12223d8e1326d6a430efb84f6d891a1cd7a5ae7abdf3da2167bbd14d0ed9440c

SHA512
fff81be6fddfcce35a7efd867460d777f5e4625a9c10b95a80062c2871a6d79b14d3ed077a7161fe6e7a36e22eafdb86e6e78dfbb9ec7232f1fb80707c5d9497

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
89KB

MD5
8c2bf52104aa7d74277673d08dff62ad

SHA1
d658301cf531cc2c21d1f2417587b3eafc3497e5

SHA256
1a3176b0548b3c0904b35e9aa610c3248d2d69e93ac4d4f8755609174d6b04a0

SHA512
7b2a4c69efa22e5ef201047a0d7055e0e1bdd72491e31cf09d20b2bf5136dae27056728f5993e1cb4a7f3fbe0b1c321183fd4c348ef25df2c9d6a5b5bb69f508

Download Submit
memory/100-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-563-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/688-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/788-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-530-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-602-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1420-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-601-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-608-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-523-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-549-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3724-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-590-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-570-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-524-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads