916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 09:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b_NeikiAnalytics.exe
Size

89KB
MD5

192ead8c2e373a3bbd937eae0ee19880
SHA1

6bf8565b94ee9abc3fb613368796a4871471bc33
SHA256

916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b
SHA512

5742551d275ae6d14bf2acc27bea046187780a77cef2c960bf4f8060fd746144128efa76c14d3d17bc854083e869af8c25d9e9e6ccdeca58b1e00fb684f44d85
SSDEEP

1536:uCy4CjCYgTIlO4YMWuMhXHk0FPSyxWuRQID68a+VMKKTRVGFtUhQfR1WRaROR8R:GdxQIlrYMmhXH1WueRr4MKy3G7UEqMM6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elccfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgphpo32.exe

Executes dropped EXE 64 IoCs

pid	Process
1032	Dchbhn32.exe
1376	Efgodj32.exe
2736	Ehekqe32.exe
3536	Elagacbk.exe
2156	Epmcab32.exe
1320	Eoocmoao.exe
528	Elccfc32.exe
4692	Eoapbo32.exe
4696	Eflhoigi.exe
624	Eleplc32.exe
1056	Eodlho32.exe
1680	Ebbidj32.exe
4764	Ehlaaddj.exe
3300	Eqciba32.exe
1712	Ecbenm32.exe
3108	Efpajh32.exe
3600	Ejlmkgkl.exe
244	Ehonfc32.exe
2768	Fjnjqfij.exe
720	Fhajlc32.exe
432	Fbioei32.exe
2236	Fmocba32.exe
452	Fbllkh32.exe
3668	Fjcclf32.exe
552	Fopldmcl.exe
3204	Fckhdk32.exe
2244	Fihqmb32.exe
1144	Fqohnp32.exe
208	Fflaff32.exe
668	Fijmbb32.exe
4988	Fodeolof.exe
808	Gfnnlffc.exe
4740	Gjjjle32.exe
876	Gmhfhp32.exe
3340	Gogbdl32.exe
4932	Gjlfbd32.exe
3532	Giofnacd.exe
524	Gqfooodg.exe
1776	Gbgkfg32.exe
4276	Gfcgge32.exe
1068	Gmmocpjk.exe
3236	Gcggpj32.exe
2428	Gfedle32.exe
1632	Gjapmdid.exe
3360	Gmoliohh.exe
1708	Gcidfi32.exe
2788	Gbldaffp.exe
2892	Gifmnpnl.exe
4812	Gmaioo32.exe
5004	Gppekj32.exe
5072	Hboagf32.exe
3528	Hjfihc32.exe
3188	Hapaemll.exe
744	Hpbaqj32.exe
2068	Hfljmdjc.exe
4616	Hjhfnccl.exe
2944	Hmfbjnbp.exe
4752	Hbckbepg.exe
3596	Hfofbd32.exe
1576	Hmioonpn.exe
1072	Hadkpm32.exe
4180	Hbeghene.exe
920	Hfachc32.exe
60	Hippdo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Elccfc32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Efgodj32.exe	Dchbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6632	6204	WerFault.exe	277

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 1032	3408	916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b_NeikiAnalytics.exe	82
PID 3408 wrote to memory of 1032	3408	916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b_NeikiAnalytics.exe	82
PID 3408 wrote to memory of 1032	3408	916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b_NeikiAnalytics.exe	82
PID 1032 wrote to memory of 1376	1032	Dchbhn32.exe	83
PID 1032 wrote to memory of 1376	1032	Dchbhn32.exe	83
PID 1032 wrote to memory of 1376	1032	Dchbhn32.exe	83
PID 1376 wrote to memory of 2736	1376	Efgodj32.exe	84
PID 1376 wrote to memory of 2736	1376	Efgodj32.exe	84
PID 1376 wrote to memory of 2736	1376	Efgodj32.exe	84
PID 2736 wrote to memory of 3536	2736	Ehekqe32.exe	85
PID 2736 wrote to memory of 3536	2736	Ehekqe32.exe	85
PID 2736 wrote to memory of 3536	2736	Ehekqe32.exe	85
PID 3536 wrote to memory of 2156	3536	Elagacbk.exe	86
PID 3536 wrote to memory of 2156	3536	Elagacbk.exe	86
PID 3536 wrote to memory of 2156	3536	Elagacbk.exe	86
PID 2156 wrote to memory of 1320	2156	Epmcab32.exe	87
PID 2156 wrote to memory of 1320	2156	Epmcab32.exe	87
PID 2156 wrote to memory of 1320	2156	Epmcab32.exe	87
PID 1320 wrote to memory of 528	1320	Eoocmoao.exe	88
PID 1320 wrote to memory of 528	1320	Eoocmoao.exe	88
PID 1320 wrote to memory of 528	1320	Eoocmoao.exe	88
PID 528 wrote to memory of 4692	528	Elccfc32.exe	89
PID 528 wrote to memory of 4692	528	Elccfc32.exe	89
PID 528 wrote to memory of 4692	528	Elccfc32.exe	89
PID 4692 wrote to memory of 4696	4692	Eoapbo32.exe	90
PID 4692 wrote to memory of 4696	4692	Eoapbo32.exe	90
PID 4692 wrote to memory of 4696	4692	Eoapbo32.exe	90
PID 4696 wrote to memory of 624	4696	Eflhoigi.exe	91
PID 4696 wrote to memory of 624	4696	Eflhoigi.exe	91
PID 4696 wrote to memory of 624	4696	Eflhoigi.exe	91
PID 624 wrote to memory of 1056	624	Eleplc32.exe	92
PID 624 wrote to memory of 1056	624	Eleplc32.exe	92
PID 624 wrote to memory of 1056	624	Eleplc32.exe	92
PID 1056 wrote to memory of 1680	1056	Eodlho32.exe	93
PID 1056 wrote to memory of 1680	1056	Eodlho32.exe	93
PID 1056 wrote to memory of 1680	1056	Eodlho32.exe	93
PID 1680 wrote to memory of 4764	1680	Ebbidj32.exe	94
PID 1680 wrote to memory of 4764	1680	Ebbidj32.exe	94
PID 1680 wrote to memory of 4764	1680	Ebbidj32.exe	94
PID 4764 wrote to memory of 3300	4764	Ehlaaddj.exe	95
PID 4764 wrote to memory of 3300	4764	Ehlaaddj.exe	95
PID 4764 wrote to memory of 3300	4764	Ehlaaddj.exe	95
PID 3300 wrote to memory of 1712	3300	Eqciba32.exe	96
PID 3300 wrote to memory of 1712	3300	Eqciba32.exe	96
PID 3300 wrote to memory of 1712	3300	Eqciba32.exe	96
PID 1712 wrote to memory of 3108	1712	Ecbenm32.exe	97
PID 1712 wrote to memory of 3108	1712	Ecbenm32.exe	97
PID 1712 wrote to memory of 3108	1712	Ecbenm32.exe	97
PID 3108 wrote to memory of 3600	3108	Efpajh32.exe	98
PID 3108 wrote to memory of 3600	3108	Efpajh32.exe	98
PID 3108 wrote to memory of 3600	3108	Efpajh32.exe	98
PID 3600 wrote to memory of 244	3600	Ejlmkgkl.exe	99
PID 3600 wrote to memory of 244	3600	Ejlmkgkl.exe	99
PID 3600 wrote to memory of 244	3600	Ejlmkgkl.exe	99
PID 244 wrote to memory of 2768	244	Ehonfc32.exe	101
PID 244 wrote to memory of 2768	244	Ehonfc32.exe	101
PID 244 wrote to memory of 2768	244	Ehonfc32.exe	101
PID 2768 wrote to memory of 720	2768	Fjnjqfij.exe	102
PID 2768 wrote to memory of 720	2768	Fjnjqfij.exe	102
PID 2768 wrote to memory of 720	2768	Fjnjqfij.exe	102
PID 720 wrote to memory of 432	720	Fhajlc32.exe	103
PID 720 wrote to memory of 432	720	Fhajlc32.exe	103
PID 720 wrote to memory of 432	720	Fhajlc32.exe	103
PID 432 wrote to memory of 2236	432	Fbioei32.exe	104

C:\Users\Admin\AppData\Local\Temp\916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\916132d7d8685d570db788c7122ddf13b7607d0d778a0b338cfb0bd18c814d8b_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\SysWOW64\Dchbhn32.exe
  C:\Windows\system32\Dchbhn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\Efgodj32.exe
    C:\Windows\system32\Efgodj32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Ehekqe32.exe
      C:\Windows\system32\Ehekqe32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3536
      - C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        23⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        24⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        27⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        28⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        33⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        47⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        48⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        50⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        52⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        55⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        61⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        63⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        67⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        68⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        69⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4736
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        72⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        73⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        74⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3468
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2920
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        77⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        78⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        79⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:964
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        81⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        83⤵
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        86⤵
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        87⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        89⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4200
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        92⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        93⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        94⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        97⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        98⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        103⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        104⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        105⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        108⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        109⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        111⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        113⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        115⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        119⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        122⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        123⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        125⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        126⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        128⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        130⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        133⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        134⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        135⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        136⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        137⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        138⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        139⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        141⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        142⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        144⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        147⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        148⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        149⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        150⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        151⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        152⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        153⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        155⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        156⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        159⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        160⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        165⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        166⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        169⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        170⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        171⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        173⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        174⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        175⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        176⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        177⤵
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        178⤵
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        180⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        181⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        182⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        186⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        188⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        189⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        190⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 420
        191⤵
        Program crash
        
        PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6204 -ip 6204
1⤵
PID:6572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
89KB

MD5
88f4216ad8f0f15381cf7151fb8c3b9b

SHA1
3fb70ed9fcb049f394f8bd3db90ac6ddda54ad17

SHA256
d04274113bb126fb34bd9ec69cb636d6d28519232dfd3930b2c3130013bac90d

SHA512
264118a937a0d828fc56ff15bd8ecb68409b043367784f38273d0f4f326f034e0cf04e49eb4244935b009bcc2ba9b50d190398cddd02416080942513ea2af40e

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
89KB

MD5
65d153cc86246880a39ef1d05f825d1b

SHA1
c5e52a6d6dd001217135758eac59e451762ef910

SHA256
e5a8f63fd9f9072edcb9122110155b333b7a4c9458534e5e36a5f4d218762edb

SHA512
0babc4280ca13876ca732d84eb51fd07dcff44770ed817851a748152ae73ac665abae34e1e8865aae349599acd43636414fb35e1d849d6520355f46a1a3c770d

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
89KB

MD5
c72b4724cd4ac3779b41460cef748ee9

SHA1
c70227d0e0eff1d3e4db4e0c52c9062e0b52990f

SHA256
ded10f2718d95f41f98e374bd3e8fce757d095bf4254d3e4ddcd1388ab9273ba

SHA512
bf53ab0181c8da23da61667cb9365b2db8133b6e0f1314487cf16a1760612dc99d94e0de44835619aee911a9e9850f21dbb0868fe27592fa992dbd5069fdaf75

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
89KB

MD5
40deeffac210668279ebb1741139156d

SHA1
8691a2e7511cdac1dffa5d77eaedcde022358fe5

SHA256
42a3e69a20fa08bfc868ece4788a35eccb42c65e47ee76c7fcba45cbb55ec7fd

SHA512
2b1a663557d42c00ad25a39bc986fef668dd8f27369de77c0ca5c27a401440679902d55ec414f5e65eacaf99617751cf7c147af598bb730c15b65b7d85c54928

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
89KB

MD5
b3ad6f435bd41bdaa11614ae5777d3d8

SHA1
38b32f57e3f33bd8acb6b2c16b8882a447f2b7b2

SHA256
d92279d1e608834662f5f9bca7466e6007357401e81a329b266ccdafc96e2a0c

SHA512
0a9d6946ebf0f6f3d4e839bf4e16763d075b7af6d4786099481bdddf51108196f40f7874c4368c330b954af987aa350c1f9469c58aacaf14c9f5187052683b9e

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
89KB

MD5
c3e0b2b62e74d7a8e509bef0ee7b2963

SHA1
3edb8b62f495e67966d7b18b316f7050ac014c29

SHA256
d14ce8a44d3ed010284962ad90092809bc5872aca42f303e849a9ee42a6ec070

SHA512
55de82f13568af12fd88924d30e47695946830a06804db7546d35081d90483283b406af72f17264cf0ab0ff8920a35673a18936e3d7d052401bedbbbc00b7ab2

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
89KB

MD5
1eec029ecf76933dfb2daf25bac12648

SHA1
cf105ccdcf8afcd7392c9b4aa1a1d93d369e017c

SHA256
58c30707134dce46114b46e9de9ea5dbb51b0c3fef9bc7742f1bf7f3da8d2409

SHA512
8eca363104b3e6f3f1bb7ccac1cd24853ea3e6def9455e1209723bb37d69cdf6b7f0829dbca7453df43500d53d625dd850480b60f62cf426b876bb75b2261e04

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
89KB

MD5
4d5f4a961e7e03cc07c855a43cfadfa3

SHA1
34d99031051e58755046f288d3ec7ba4f55c212a

SHA256
73416e44b9ba5f739e5fe20346106b32f9f55b891039ecc1a63eb9113040d4b7

SHA512
877e8c72e1590e90e1acad93f0b18f7ef6d12e0f0eba5b8af2df4b4b32eb5d1fe2aa0caa2a840ca3afdbf0c29373597af023c203af2078d2a8c3585505af11c9

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
89KB

MD5
d540f44dbc23ac989989609fbbbfd806

SHA1
d0ca1ab6b0c8a9a187e19e4729546321d55c77a1

SHA256
554bb706e941800d54752beb8dc677acdefdd751c843a4a46bbbc9b970b582e5

SHA512
2de007b010f967f46040fbfc7775bc1479fac15734b97235d479e19e3a540465409634358c7d3b95bc49c687353729f4328b984f65d6f6bcdf38f97170274b70

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
89KB

MD5
9a2d8fc2bb3700628e0347f151905892

SHA1
9bfa7efa17a4d05de3c24d10914c75c0c9df0cc8

SHA256
6d90b09f6c54d0ba3c4e872e6132226dc71a5979a3596dbd8edc833c49b87e30

SHA512
bf78ef3c533eee2fee82ab83eff1159a16101d840881dc96d7e735214cf60df8c0d03e57151c62c20ff0d4010be59a09fb092062c6e8c609c00a737126f6a5ff

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
89KB

MD5
406c459e5dc8e0b9ea9bb057de6d6f2f

SHA1
028cf7f8fb5d339f239de0699da42c87550a6284

SHA256
fa6a12183589fffe44158bc3fb65cd4b2a21112edeafa964396ad86e0cc80b40

SHA512
b65a11a0dde1b106f961f2aeb104d024bb73db154b9b00507c0b9ff264001af7cde46fbbaee93d715a97e87e69e9504df7f799f3bff72fbb30c77af140224580

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
89KB

MD5
c6caf97b72e4626e85bdb5641b39a9c4

SHA1
be7281918dd3fc4184492479836961026113f05f

SHA256
de884ee82336986e1b7e3bd0d33b75f99aff4574ba0b086df6cb4b98a09d3d59

SHA512
570a563fbc9682d348370e4e35a60219ff542b1938cb7d5a1f967bf6aaca38671b7858f8bf471e40b2bb197718d8c5053c630b971f26f005a8d03560bef1c24a

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
89KB

MD5
41fdd2fdf0e98a40e8e165630d8ed159

SHA1
8b474ea5825649d0e4aeb61de88efb1cc2fcc6a7

SHA256
717606a093f8e23250039ef5b4f1640f1b04200c4891036014e69ef2ab7d0188

SHA512
6722544eba50e941c7ee6be5cefb5beecb1e0564cfdd59a7ed6c6fccb3c6f2e123b86129411920efc9ddb58306beeec653adff478fb1126e728cd575920e8b92

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
89KB

MD5
2e52f5364a0998dac53e249359ffd708

SHA1
e0271f7a83fe48c71db4d58766df02eef989d1b1

SHA256
937c025fc4c32f647727b7361b04b3b25ca761952a23afba559c51b201e091eb

SHA512
17bfd3ed532db09d26700b53e846f4830afddfdc2f7f45fa4b76d5d01476c023cff819055510b563c1e5f4532a09b312f9be5f90eca91270fdb76da8bb6030d0

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
89KB

MD5
a669a18bf9b755250d579610b09de31c

SHA1
5c7a109c544ccb757b1db6059ca6e7d2e4db4534

SHA256
8f25226de49fb3c4a0fc39ec4b6361fcff3b8e53df9df2b53fb10a591c9e31d4

SHA512
29f3a0e540cea7ddfbaa458e24ce7169119b548eab22fb8b5ae10ece86eac8330c10a174d1dca111e3de1ff6ac0189d1c3029c4e46234fa2c10a250c6a70ad5b

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
89KB

MD5
06c3727056a981a33526bc596511814a

SHA1
e08b1b3c22acc358194fa3227a7e9dc12aaf7070

SHA256
26aa1af44ccf350afaea4aee85ae644d459ecb21221f6773865d01657eb2d8e4

SHA512
c79ea3c33449906319ab262a7c29ef3d2b677efc8a446515904fbc554c1364dd018fcb5ff99d4c2c07293734770ce722803d51c88fef6706c3e2a6eada23e175

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
89KB

MD5
6682b5f4df016737833f5450e3abac6b

SHA1
9d8ae0eaa66859bb1b665037d7a56cd9e00e502b

SHA256
a6e8fe9064b9bc1d4e7a8a82de9ae27e17db2d7fed9e1d52e36af36779c2817a

SHA512
809c370fbe2683131e543a69e5ce47c7b36a632fb05b159b56ceaa2d4f0638ac2d4a8da65fe5698b6a27a592e927074e4f4ef752dfc8eef838e7850903876b5a

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
89KB

MD5
50f7d8844ffbb1e76c5b9bf27f683619

SHA1
09fd7c5f21c3e5e60ccbd77f7b6aae5b5ebd8bf7

SHA256
3b6d8ea8be28026904fdadc6e4e7212b673d3dd593ec2cfe39a816430f530fae

SHA512
718c04f2cea407c49c66a952ccf99fddc6015ca150f397601fa94a5e6b244f14ad3431276eaf581e5118631c0f3962f1f4884b5f54bba86beeaeb56460b268a6

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
89KB

MD5
6a17ba2648f4e3866da3813f7b57f4f9

SHA1
327d7424cbdc974d317f5a91b5bb2cfa78a0a1fd

SHA256
320c7a5409f1cf9fb40b316bb5415db643fc678241dc5077ee58450979755852

SHA512
812e14bbdc31168c245a1fb9563620e3c5640f6d1db9fc2238f2d680e58482b58b5595b10a6eab088b8c56cc24ef9657ad21513081c37739f42967f4b62b2517

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
89KB

MD5
0993a293b565c3e98268d4ebaeac17ad

SHA1
7ff3c2b6fdf77ccd16755847829784719243e7f2

SHA256
a3b5cb8bce07632a37d7b39f2c1641b105be976991b8bcb7e91b9d61e8ac701b

SHA512
486015bc9a2406d367dea2c8438d94202bb075dd02c52a15a34f3989fad9c9a412efe334527b3c2d6ab5db14817f842e39be207e9b181a3e23af3ce581938042

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
89KB

MD5
7febc88347628293192ff025dc3cc6fd

SHA1
8a9bde7227299cfdd5792ff3ef795f1fdfa5103c

SHA256
4555a368575a09f805d6905cb4fdddbb4fab57fd563535896c2c74060a34d528

SHA512
ca2570fc02545f2ca233de1aa150290cf762bab73dec979544c4fae48b1f847591aad88dfae05f3d9fdde0482799c4025bf1e7196cbd4db4e83ccb0ebf28d75b

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
89KB

MD5
585b9b19db77d66d257e188a6f91a3dc

SHA1
6c81d63d531cdf3ad993049b637a38e4045937ae

SHA256
f660c1a8c2a87e303517f8180f3e7b67f2bf57dc219a1475608ae2ec5b5a61d6

SHA512
a840b6957cb4002f2557e5f2c9886a2b9460350dccb3c4fe003f81c28443fbdd4d4210b5033cf6e33727ac9ecb397065e4aac8f10fa73be257264d4cb2b2abcc

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
89KB

MD5
b6133f1ea3ffb6e8ecfb552a666cbc24

SHA1
63b480da0ed4a64c3638290d042012738b6dcb41

SHA256
b64f0c78d1898089ac60c7d0a618725c761c70b8fb29a3881af178b6f4377092

SHA512
871a117dc95265a9c092225885ee19c0dad847c3a8c1461a0cc0afe21a58c154c8a6fbf445470ba13cd2aa1f313f60375a1e302c526cc32c504a29d1bfa6e99e

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
89KB

MD5
9233d5678ef620785051aa821e1df588

SHA1
dc502d5d040c053865bdeae76a5096fd0ca50258

SHA256
8546872e862bf68b420d41a9f25f3db725369d0ca5edd20efc5c3b5b000fb953

SHA512
a505acefce2b030cc1e22e7c6233ebf87791979291ef7e9eae10537b7f4823bc2461b451cbe44718505db1398dd2c3bc2d1ecd2ce5cf2b9348098da31ac81f40

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
89KB

MD5
96297f1de27d3c3070e70f836074ea27

SHA1
4833dde91d76b01e58847d9dff02bc335ab4cbd1

SHA256
860479176c24222cf5a0da33abb9a239f45b3eb0ba695a00c17744db47fe44e0

SHA512
ac0fb213af69890e1a2a32ad19fb3c89464320851b954fca1f7e05aba5a5e68e9663904d3d379aa9406d68685e357f45717f40904e9dc4f2956910f810c26457

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
89KB

MD5
09c3a0f7aeb9393fd21856365eb8cdb2

SHA1
3dab3ba54f4e2dc3a58839c53f0360051f894bb8

SHA256
612f1fee17e3b23b8a31e13f50571f01ef8affa114c2eedd80b751b45ef954a5

SHA512
14b383c0e8bd7f1c81f9465bcaf50642d3660bc2816cf2e1a116eb489c96f634a393a792b2a29d1e46b46c4090eb63a6adb8086bd4efdb8fac09ef46d58f7311

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
89KB

MD5
f13615a8b0053f0a0cbea3de6c69769c

SHA1
58484692d8c22c82b5bbb80c67a9705e3e4a1182

SHA256
c5f021311aa7db419c1d3931845573296bc395d8deb2fa3d7e09ecff42bd7e70

SHA512
4b02a3e98bf72288094fed0dc00dffa8dcb78ea97cb892d5e382c8f8d83c1bc5146efccec0cf09f47601689ed58156af5636d05d4785cd11601c650697770c15

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
89KB

MD5
c50362cef25e64bb19d187da9697675a

SHA1
0743efe63941497016ea47397411172535dfec7a

SHA256
0ebf22ea4f155f9befcd50e5bfdc32beaed93c09a6e79c7328f03cc869d5154d

SHA512
6aa1fceedc215dd27784ea24194c796dc465be44c097beb775afdd4a5aa1c80cdb07ce3cb6c4293cf047294bfdd751aaebb21674d8b6b87c24bf881d25eecc56

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
89KB

MD5
262fc634e7e5e9912dfec5ef97072100

SHA1
31dc4c300f1e1a4ea4010e2f73254389094e79d7

SHA256
4f9381e828bfe12b6cc359cb719727f8c6bd3137318183194bf830e27546962d

SHA512
f4b9eec105837abc18bd04f49f934079860d6a8dbd2f3071f4aa566ca9eb168876a6c784d36be4df813624c6d5fd5679ca367b0ed812fc3dcc3afbb542cd1cc6

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
89KB

MD5
96eef1ccd67ce81fabd9b05f66196702

SHA1
15c22da6ad43215b21f9479860609277f8b51110

SHA256
dd3df6959b0e75f1b13a93d024ec5c6d9f3ce4f14b6fb55455bece9038402bcb

SHA512
135ebd7626b9049a949950ee926a3a29c1c45fa09592cfbd3aa07e12d32acca70548eebe624dcea8dda4fbde3351ef7800c918c6bb34e85b3074215ed747daf9

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
89KB

MD5
a0a0bb1707e0c4bd2b5145e7c7e01c79

SHA1
215e4f1eadbc2a12baaad61d66957ce0a30a907e

SHA256
43e9ad2d0f89c42724783a4f6bc041f5b851faf5158bed90a4f0134e0563f408

SHA512
ad69225604d717eb2b65965f151cbf15af199290e336314093a0062250685d1d69e24fd269e0bd716fbf6b589ca41ba177c7759ad65aa2a9ab8d8c25b80d5059

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
89KB

MD5
3b684dc7f61c2298dd17bdc7b358fe92

SHA1
7eceaa698ff53a2720c0aa5b705cb0e69ff5ba6c

SHA256
c68ed57b41d44e51e5f0dd3c5c2f07ac2be49c446e560f4caadfc007528beace

SHA512
253ee07d3073cac9310f7b4765240d6b7bd1689f94871aa2a1510806fd796c9bd281ab7ebedfff6d266fb661a2c3df1de8649a8aaf0cc3b867770a4f0258de7e

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
89KB

MD5
b2812d0217bb36127d03c1bf86818780

SHA1
78152f1701eabb9cbee35425d2f36a8195329e76

SHA256
ac7e70a95cec961de297f6cb1953b29cb02172fe65bb1d1cc9a9f9a958ab3287

SHA512
a10354c338d328f63964bf43d36621bf5258e372c6073fac524460e7d6012ce7cf7dbf162b836d8f6d4030b3fb48b0883d165295b7e998dc111fd757f7244295

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
89KB

MD5
78f8b17c02e34998357bb7687d546de1

SHA1
54e88c86ece5a9ff2190b98851fb110847e28d38

SHA256
75823af1ba502cd8ae685279a3b17c69beba079481a59a27993bdc3c26f732c9

SHA512
91fc76e9a1b671ff84d25247489943fff70cddbf90c0e4070b3c77e46c3709daab7daa763fd2102cde8f1903c9d797484a3bc6038b4e1e79a1bd69c8206fac07

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
89KB

MD5
d9d26e36d30ec6ec5b9b40423fe0b538

SHA1
180d9aaba4aea508e449159a80491ff29c3f645b

SHA256
672e2b91b766670e046c337bba45c01a4d9fe6b5bed77bceb920dc3f22a0cfaa

SHA512
4d2c7911026e82573566d65d0dff703ddaf315d13d063647d1cb0ee0df168d15697e4af803b23820cc1fc82f461f64199ba980e1336300c2513358d0428b23c4

Download Submit
C:\Windows\SysWOW64\Iifpphha.dll

Filesize
7KB

MD5
c03640754588605a467a5a69db4dc396

SHA1
5717f5fb67a911cb22f955d568b5a5303e1d04ef

SHA256
af20740e0aeaa9405fa2bf94d2155eafd233f7e40cc3cfb5f77aa7324a25410a

SHA512
18964db4c08896063f48a8feae3d5b254fa8a970136cb0b01d70f3994991868d7a8402bb1a8c0b97a8dbb90caac954cfb3685bbe09b6a99e3b4d92f6eb3c12d6

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
89KB

MD5
e4f36d4efe1209fb1e36a1012343c1df

SHA1
311fa9dc28dae20d973612c4b130dd898f77cf9a

SHA256
8e75824ef6334c34b7deeba1aed2caaf4adff93ff47753034910abc51787237e

SHA512
24d7604152d9f5e0dc998fb44608ee666c8918b2f64f80cd242472d181e75638584cb36a07a0ae44f7e8108aaa346c12539ce71fab8cd5e2d6b11482ab84f354

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
89KB

MD5
3149f3ea28d4aaa2276e0b844034a4a2

SHA1
0f13181bdd031a7a7cd2e0f58412a48900d75b8f

SHA256
b6c3063e38ce89142a054c31a47da3716d951d7df246f7843958cc3329caf57e

SHA512
8a6fb29651b175405d7b5faa0284a420de759f1d15f22634ab3794d150d307f4b5fcb39157a26624bc819b88542ebd47b823151d81cead869d49634d7721d32e

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
89KB

MD5
81e921e8204de0fed6ab98d58ca45a15

SHA1
76ed92e9938c78cec9cfa205ca284a9b3516fb48

SHA256
e6b89ae2ac3864bd79aae7f2d3e89966bcfb87056e27779b41e70d4bbef58cd3

SHA512
88c3c86992dfb13cfd7433dba497ef1dd0387740c1b94bf6e72e7b9f99c936e4920a22f45da39e83a70068ea616a31723e920cfbe6d2a2ea0188cd62a7771763

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
89KB

MD5
37a27fdbb09451f01e36873f1866cc7f

SHA1
cbfd429e1619817a07cb0f9e39a963df7e740cfd

SHA256
920a25a90179933c72a6244b299edfbc63590f0e4f411c1df2d7bcdf6817b57a

SHA512
b8eccf6ab8bcdcdf6c724b715b9c6ae2ac09e8503aa0337d3490f6fc23158147a897ee076afb4ca1b75dd1df866199fc53d68683490b8e0232df9e3ccd2c6030

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
64KB

MD5
2826141a30e1e1afdb68a1b2b86e5730

SHA1
4938a7907bbd16eecd0027f4823da3c24e722d2e

SHA256
8a52e014103b5321e2c693e2919b978743705231e5ec22eb9954e9f469ac6071

SHA512
72097b711910f559de81266db9f23957234664499228a03c7c4b989b8e3539a7b424cdfc76c8666d3c65e7966b912b154006fe8cf4aa68108562eaaa7d423238

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
89KB

MD5
663f284879943d170bee9b8781c30b0f

SHA1
34621feba0cbaa397c33214a9629bad72417a979

SHA256
bc7e8de2dd1d7698a0725c5a07c154c05a9779d55cbdf73205659c5191b60818

SHA512
f2f2483bec89d538d0c06d047a107b72977c4f0a27d6b43573e74bc7502f04fd2344290afd820ea6cfa3aa6dfb081351b9c8a15da997834ff30dab24e8f81116

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
89KB

MD5
41759a64071cc183c3e36777854a33dc

SHA1
bda8a7562e41f4d18d346a12635db125cf3ad158

SHA256
1137cd530357450ce6962aa5f084b0afb42c36106d3ebc2a22e33abf7e81de57

SHA512
8469e0770ac6269dd5c925b69bfb7f3c7e7e96b1f5b82e5828fd01b57e672459c43b2b428b06623c5da7f3ca75a04c688cb4ffd7203df488e2d3756b0899a070

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
89KB

MD5
adfb25921cc8b8b1e0fe66aa6810622e

SHA1
455dccfa1f437062eed392b9424b89f54e601d92

SHA256
b270cce76b5667d2e4afbd2bea5981a67864bed8f781b7a46dfded068cea2bd9

SHA512
ecf1f126ba9f0b2262eaaa00e5d82742f0f28b59307cece4cef1a94b35dedfa68f0c618d09b9b642eb0ae2c262ae3feb67599aa6606a44ac191ac3db0a2d3e51

Download Submit
memory/208-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/244-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/244-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/432-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/452-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/452-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/528-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/528-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/552-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/668-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/668-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/720-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/720-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/808-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/808-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1032-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1056-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1056-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1708-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-122-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2428-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2736-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3204-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3204-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3340-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3340-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3528-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3532-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3532-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3536-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3536-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3600-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4276-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4276-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4696-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4696-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4752-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4812-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads