b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe
Size

320KB
MD5

d5a9187e262f4e57eacd71f52f3829d0
SHA1

24e915b18c114a9c3b323d76490397e24956b9c6
SHA256

b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef
SHA512

f9c6d02fe1d5a12e77540d4a5ce7838c2bfb235b5ca2432914ea7a42da2d4d30955a91355b9ad00fd3d2b44a8030f75a7c926c9c3753ff68f37160d5c75e84f3
SSDEEP

3072:jX2osrVgjefwS/A4MK0FzJG/AMBxjUSmkCMQ/9h/NR5f0m:jJWgjefV/Ah1G/AcQ///NR5fn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe

Executes dropped EXE 64 IoCs

pid	Process
2688	Dokjbp32.exe
3040	Daifnk32.exe
4432	Dhcnke32.exe
4792	Ejbkehcg.exe
1488	Elagacbk.exe
5040	Efikji32.exe
2516	Epopgbia.exe
3172	Eflhoigi.exe
4116	Eleplc32.exe
3920	Eodlho32.exe
4984	Ehlaaddj.exe
4532	Eofinnkf.exe
4420	Ecbenm32.exe
3012	Ejlmkgkl.exe
4820	Ecdbdl32.exe
2332	Fjnjqfij.exe
1436	Fcgoilpj.exe
2320	Fjqgff32.exe
5032	Fifdgblo.exe
1600	Fckhdk32.exe
5012	Fjepaecb.exe
536	Fobiilai.exe
3832	Fflaff32.exe
3924	Fodeolof.exe
4168	Gbcakg32.exe
1640	Gmhfhp32.exe
216	Gcbnejem.exe
364	Giofnacd.exe
1836	Gcekkjcj.exe
4304	Gjocgdkg.exe
3604	Giacca32.exe
3264	Gcggpj32.exe
2180	Gmoliohh.exe
3144	Gcidfi32.exe
3188	Gbldaffp.exe
4256	Gifmnpnl.exe
1916	Gppekj32.exe
2708	Hboagf32.exe
3028	Hmdedo32.exe
4800	Hpbaqj32.exe
224	Hfljmdjc.exe
1264	Hmfbjnbp.exe
1204	Habnjm32.exe
4240	Hbckbepg.exe
2644	Hjjbcbqj.exe
4992	Hpgkkioa.exe
4628	Hfachc32.exe
3816	Haggelfd.exe
4700	Hcedaheh.exe
432	Hjolnb32.exe
3292	Hmmhjm32.exe
3496	Ipldfi32.exe
1856	Ibjqcd32.exe
4600	Impepm32.exe
2900	Ipnalhii.exe
1972	Ibmmhdhm.exe
4816	Ijdeiaio.exe
4588	Iannfk32.exe
3288	Ifjfnb32.exe
4476	Iapjlk32.exe
380	Idofhfmm.exe
1200	Ifmcdblq.exe
3852	Iikopmkd.exe
4616	Iabgaklg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Efikji32.exe	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6360	6264	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 2688	5116	b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe	82
PID 5116 wrote to memory of 2688	5116	b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe	82
PID 5116 wrote to memory of 2688	5116	b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe	82
PID 2688 wrote to memory of 3040	2688	Dokjbp32.exe	83
PID 2688 wrote to memory of 3040	2688	Dokjbp32.exe	83
PID 2688 wrote to memory of 3040	2688	Dokjbp32.exe	83
PID 3040 wrote to memory of 4432	3040	Daifnk32.exe	84
PID 3040 wrote to memory of 4432	3040	Daifnk32.exe	84
PID 3040 wrote to memory of 4432	3040	Daifnk32.exe	84
PID 4432 wrote to memory of 4792	4432	Dhcnke32.exe	85
PID 4432 wrote to memory of 4792	4432	Dhcnke32.exe	85
PID 4432 wrote to memory of 4792	4432	Dhcnke32.exe	85
PID 4792 wrote to memory of 1488	4792	Ejbkehcg.exe	86
PID 4792 wrote to memory of 1488	4792	Ejbkehcg.exe	86
PID 4792 wrote to memory of 1488	4792	Ejbkehcg.exe	86
PID 1488 wrote to memory of 5040	1488	Elagacbk.exe	87
PID 1488 wrote to memory of 5040	1488	Elagacbk.exe	87
PID 1488 wrote to memory of 5040	1488	Elagacbk.exe	87
PID 5040 wrote to memory of 2516	5040	Efikji32.exe	88
PID 5040 wrote to memory of 2516	5040	Efikji32.exe	88
PID 5040 wrote to memory of 2516	5040	Efikji32.exe	88
PID 2516 wrote to memory of 3172	2516	Epopgbia.exe	89
PID 2516 wrote to memory of 3172	2516	Epopgbia.exe	89
PID 2516 wrote to memory of 3172	2516	Epopgbia.exe	89
PID 3172 wrote to memory of 4116	3172	Eflhoigi.exe	90
PID 3172 wrote to memory of 4116	3172	Eflhoigi.exe	90
PID 3172 wrote to memory of 4116	3172	Eflhoigi.exe	90
PID 4116 wrote to memory of 3920	4116	Eleplc32.exe	91
PID 4116 wrote to memory of 3920	4116	Eleplc32.exe	91
PID 4116 wrote to memory of 3920	4116	Eleplc32.exe	91
PID 3920 wrote to memory of 4984	3920	Eodlho32.exe	92
PID 3920 wrote to memory of 4984	3920	Eodlho32.exe	92
PID 3920 wrote to memory of 4984	3920	Eodlho32.exe	92
PID 4984 wrote to memory of 4532	4984	Ehlaaddj.exe	93
PID 4984 wrote to memory of 4532	4984	Ehlaaddj.exe	93
PID 4984 wrote to memory of 4532	4984	Ehlaaddj.exe	93
PID 4532 wrote to memory of 4420	4532	Eofinnkf.exe	94
PID 4532 wrote to memory of 4420	4532	Eofinnkf.exe	94
PID 4532 wrote to memory of 4420	4532	Eofinnkf.exe	94
PID 4420 wrote to memory of 3012	4420	Ecbenm32.exe	95
PID 4420 wrote to memory of 3012	4420	Ecbenm32.exe	95
PID 4420 wrote to memory of 3012	4420	Ecbenm32.exe	95
PID 3012 wrote to memory of 4820	3012	Ejlmkgkl.exe	97
PID 3012 wrote to memory of 4820	3012	Ejlmkgkl.exe	97
PID 3012 wrote to memory of 4820	3012	Ejlmkgkl.exe	97
PID 4820 wrote to memory of 2332	4820	Ecdbdl32.exe	98
PID 4820 wrote to memory of 2332	4820	Ecdbdl32.exe	98
PID 4820 wrote to memory of 2332	4820	Ecdbdl32.exe	98
PID 2332 wrote to memory of 1436	2332	Fjnjqfij.exe	100
PID 2332 wrote to memory of 1436	2332	Fjnjqfij.exe	100
PID 2332 wrote to memory of 1436	2332	Fjnjqfij.exe	100
PID 1436 wrote to memory of 2320	1436	Fcgoilpj.exe	101
PID 1436 wrote to memory of 2320	1436	Fcgoilpj.exe	101
PID 1436 wrote to memory of 2320	1436	Fcgoilpj.exe	101
PID 2320 wrote to memory of 5032	2320	Fjqgff32.exe	102
PID 2320 wrote to memory of 5032	2320	Fjqgff32.exe	102
PID 2320 wrote to memory of 5032	2320	Fjqgff32.exe	102
PID 5032 wrote to memory of 1600	5032	Fifdgblo.exe	103
PID 5032 wrote to memory of 1600	5032	Fifdgblo.exe	103
PID 5032 wrote to memory of 1600	5032	Fifdgblo.exe	103
PID 1600 wrote to memory of 5012	1600	Fckhdk32.exe	104
PID 1600 wrote to memory of 5012	1600	Fckhdk32.exe	104
PID 1600 wrote to memory of 5012	1600	Fckhdk32.exe	104
PID 5012 wrote to memory of 536	5012	Fjepaecb.exe	106

C:\Users\Admin\AppData\Local\Temp\b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b26fbec816d45877b8079e405440e2477a1ab70973ee3445d6741975a2db9cef_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\Dokjbp32.exe
  C:\Windows\system32\Dokjbp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Daifnk32.exe
    C:\Windows\system32\Daifnk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\Dhcnke32.exe
      C:\Windows\system32\Dhcnke32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        23⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        34⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        35⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        40⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        42⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        44⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        52⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        66⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        67⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        73⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1820
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        75⤵
        
        PID:992
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        77⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        78⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        80⤵
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        81⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        82⤵
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4972
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        85⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        86⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        89⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        91⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        94⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        96⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        97⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        98⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        99⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        100⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        101⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        102⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        106⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        107⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        110⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        112⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        114⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        115⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        117⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        120⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        121⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        122⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        127⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        129⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        130⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        131⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        132⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        134⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        137⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        143⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 408
        144⤵
        Program crash
        
        PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6264 -ip 6264
1⤵
PID:6332

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
320KB

MD5
cb2763099726ec8691b656518a7098b0

SHA1
e103e8249ec70a5a9511e3314aabef6444bf9d0a

SHA256
46996564507f3d4b71241eb1c9042eedff47339db79d88176c1df85c23bf19a8

SHA512
57f5254a288f3dd6f31473f9b8a5a6c6245bd22cb84efd0326c2f1fb68c9242b566571fad6c105f438f766bd83f0cbf5709d18e32550385ec40088df2dff942b

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
320KB

MD5
01da6eded379d704121b96b0b9ed4ada

SHA1
fce7b9ec937c93f85d40901aec7adcf3a24bc4c8

SHA256
91d7d69501c234692919ba020bc5de213c86706ec2c4efb2c50a20f46a6bb134

SHA512
5651a219592fa2528610b7f80ae966f790569fcadf6d1d29fc401e8afa48360c774c5f1cf642f62eea6539e8d428963ff2580c2a702e18c071de17e1fcc8ee3d

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
320KB

MD5
17b0e33ce804a4d788feacc32b1d6173

SHA1
f0d1593b95b4c3f2eb1dc9d2bd95dc275e21eb3b

SHA256
9b17a54469f176e168e9843b0bfc8d03e33988c0f26b15660f1796ed1f54c1e2

SHA512
7a5ea8a285801cc54252574e6fe7a8566bb9ad0d94671c7580c3e87be6e7f5c9dc73350963dfd54b0600733c58e4c44ca8c3b112660431813e0656424e9d0085

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
320KB

MD5
75a5ae9d4324e7982551ed042f90d356

SHA1
f92e719970b055c998113a6916858717653deff8

SHA256
816664f74791c71532471a2d165f2e9ac41f9be148e6ca3a0b0fee9fba0d25ba

SHA512
4e97bb007b504bfd04ad523998cca5b8166e9e7c08a61ee57c11b195781b9234e30ddaa34ef137ba9bd34cd4e4d134968177ea28546462ca1f02c83b6a8afca8

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
320KB

MD5
5063b65a9f49bcd48226d9f14c32d39e

SHA1
c455c7d7680f92c86a8410a193892e20aabca791

SHA256
aa91c12c99e62ae2cdcc03c76958605cb511c2005b2e19f8527af7c6840d9201

SHA512
6502c6eacc5ffbcf2f8bc3d58deb75a55f440735f93a7cff6feced0b12c5c8dd174887e295ae6382cd735f70630948407b8ffdd07eda2f6e1d070be958ea118f

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
320KB

MD5
79da8f1e39a70363ac335e029ce03d75

SHA1
9944e8a1cf7c0b30be0f36fe64f57572f718b6ff

SHA256
e9de5bcbece79ebe1e3d38e3af3a51d6c16b0cbfd3aca7b27b146786b8def48a

SHA512
3415b942a240e8f41c9c7755b8c307950cf4997bf6a79601cb13b19130dc174d3bd87c521238c4d850b1446f5a20b30c0ffb53886805ea11dda45a5bf6580d3f

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
320KB

MD5
1e20f328ac9e9227264d2cdd142387bf

SHA1
e6254571b70c6ab7d096fa30adcbc1181f7cbf8b

SHA256
5990089f778bf8baede620accb0638655dc6c2f0755397cd9d6e784b2c48b276

SHA512
29c4210104953a527b696836cb8e931aff837dcc709558bf25a9b55844770640536228c8780e54b4fae32142ded126bfc8487c99c0211b5f9faf3e3e50fa6da7

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
320KB

MD5
99ca431806d46c0a140c913c3775608b

SHA1
4fcc5218a0c6fabb9caaeea8e89ae18cf6563075

SHA256
35190e8d39bcb5afbe605ee11dea05b2bc760d9a28dc4b8942618fad68e7260c

SHA512
d53afa0180dbb9b7ce64613d1120c293c58f615a40a51cefe0ecc512ef7c60fcddd26ba768c569bdf54903c82274bb01237b5301087acad6e9f305c4745b4be2

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
320KB

MD5
46d42579623c8c6e3b246c9d0a8ee04f

SHA1
4787e8d8e2610cefff94c22bef052190771386fd

SHA256
c74f025c612d58cfb0af5d6a16d7cd4535d32e84b875a9ab21dcfd2bbb661e10

SHA512
bdfda8f86e8ee34dac3aff9a69a919fe7934c236b4db0d148bb1ea071620d82f2336103fb5d8e65293b2cac80ca69d4e246d11247cca707389e1b765a475ac61

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
320KB

MD5
aba978125d68f0804fef4e7fa8638bf7

SHA1
5a3d53c69f79d65bb7f57271d1ba236999ad9202

SHA256
596d43483b1ee8414e838466736a459851d1b0a6a8c8d912d5e2f73238d66163

SHA512
6a5b00bfca1737ccac37bd389351f902b71e8cd34124a362a26cb1533b5bbabcbc7e22a5007aa0588760941358444c12587a4fb91108115f95223ecc2329beab

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
320KB

MD5
f7794b9dadeedeb642d9bce84c25bf27

SHA1
54091f2db3c2d036a5c8cd1c32726eb5d9968da4

SHA256
eac28dc9dcb7fa0cea93116d3183aa6f67658e2e951285337103a7051ea3289c

SHA512
68b09734fbb30761cf667f2e36a15349c1df79cce9c771f452e53373bbb3c820d312368a720f29ed14a4ad9eb6ed7b981172f42d850329ed376f0c5aafddcf58

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
320KB

MD5
d1879c62d5c56baad65d86dd2f39b62d

SHA1
f68987bb3aa79b3cc90dc4cd2a0a4cb2cf7f02d6

SHA256
962f17fef5b25de08037b10c34e2f36b66b39674e08870e27984495bda3c7a97

SHA512
3d2a29e78e4b043f357821041a40dc4571b6f559913a5929bced903cacd7182c4c242a11b2a8156c5193dc4e67f5d3df10f0de2e096b48ebd1fa2cec9d853951

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
320KB

MD5
97c9a62fb46a3e710f2a43ecc569c909

SHA1
3ae5b77ee6c083145b5ded9dfba092d68b97d11b

SHA256
1930224e209bfd3206fd24bb03fe25e6fd66de1d829dcd549959d1a48ccc2da3

SHA512
928587344ac8674ac59cc0d6df47aec11c993228b3edc6662c87172dfbdf960f63c0dbe2d601e7d6dfd8c10413d236c5bbadc3476966d8eed6fb135e9431bca9

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
320KB

MD5
c6263aae9f153a8036ea92a2de803f2c

SHA1
64868a770c5812d231065f41b46937e14a05fbbc

SHA256
93a9933dbf87090fef04a5e95aa24f3c1c63d7129c151f051e4942f440bd86d5

SHA512
503d10f2165c893ba3cf10d1f62a478c8d37c6750bc1b70c484122ce28b3f6e3eb0195b41be7349d89fcd7700fc6665f3dcf36090b436b99cb468deff245f03e

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
320KB

MD5
9ee235e442b5ce84337d40d4a09bd594

SHA1
3b1a02e6aecd3ed3291cc0b4c030941ace6d3337

SHA256
2b8df4f8f0c77873389a19a080ee7e440aaa00a257713406f54bf5578b266e87

SHA512
ecdd3dfee22417536d9bb61a6cedab86013151e9eaa4e98f7a9a28a2f157417d6fd613d50b33c2305749953cf5754ff1d5220eaff92990458406eaec4ea9a6b2

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
320KB

MD5
a51d86da875a2d24e8afc4021d0fe681

SHA1
d53952610b0518d37d92351fed6f3816dbc1b414

SHA256
6aebfcb9c66d1329c9fdbad4555c1cbd3f3f4ad8f02e1101f92e7037869d5da5

SHA512
7ef6eece59d6420c91ef2355438648ea8375cc03dbb0e7e0a5c868657603d772c041ba981bc1911547d232e7df8eaa35216950403ae534435c4a1baac38f5b3b

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
320KB

MD5
78675e7572d0681fe590489ce93fc541

SHA1
6206098b33abaa09b1b8d46ce3c2d71d84fb65e4

SHA256
ce25ea2ab6ad4544a4c26df04d6040ca0f430ca83e4b0ac8c1d823652692ba23

SHA512
b7caad50997d74c7839014ee29798ea1c322ddb5e11fc77125769c687a2c70ad179873eae62ff7ff90d9dbb41a28aaa172c3d72a595d27b502bd2f05a16c562c

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
320KB

MD5
2a5c390b7e2fa046d0da3b072ae6a511

SHA1
6091c2c9bf874e420c8454c34094a1ac2e98cd0e

SHA256
19af9815c0a9587d0b1a4799313d231d0fedc6294183b1b9740b0b4b2be6a2b1

SHA512
96551381b431153ee6e341b855b82f0c69266c9a314e76abc2b5961e4fb0022018d7a8fa92c02d8be3e0f249dbacd8c24d0cbaaae6ff8856dbcfc72afd2f7404

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
320KB

MD5
6ef176fc7094bb959d5a70428232a744

SHA1
bb4e902ebe362f02a3859e7d0c38df298aa9e6c0

SHA256
cfcc9456065a0fe2b4bb63480f5234a0714089ef26dbb5c66bf0547039f61f4f

SHA512
40d46b56161bf3adc6680aca49ffe98904424577a22e86305a0e65c64ab0f0c25b2545dd3b0f6f41236c9632d441b114798daeb39cde550fffb46263cceaa6fc

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
320KB

MD5
7b84a2fb446a3a8d6fc069beb60b49b4

SHA1
43058d1338a057d37be711da7a7bb0ff8230c706

SHA256
c4182493cb9d4423f68ce6491303e4f6fb971ece673e1a913ad7824776d8780f

SHA512
e9d1d338e0f52946e5ccd4c4031d4a68808c556767649b5013631b9837b35d39d96d638be67aa3943af469a138ec17ca0fd6d17255ddbbd84e8d3128f369c1d1

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
320KB

MD5
57ca449881b47d7f76d9ff847baca852

SHA1
55f1d8a3b2b8c0054d2db0d4c962618aee957ec4

SHA256
0755019121d1248976077297e65bf085496076ae96f601767e447a334ec3ed8d

SHA512
c3a396f29d983e6c25b0e5de4ec3d95f9aada97758543c80ce765106ea5d53ec88f9893d71b7479dee4ab7ce5a388d7e5ba1d7ec52132a309109e8a2807dde37

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
320KB

MD5
72f57c898dc246bfba1204f157cd7b96

SHA1
cbbcf79ddcdc672000b5ffcf4592c15d0c9673b4

SHA256
32179793ade11f810b3227b59de5aaa2e74494a98a2d321d19398f66be02cd21

SHA512
4fe583b2f2af3015f97822a4a2d3d3570ce88689eaf9f56edd98f5455a503f6cb1c2ff5d2b7c7dfd868174533267e6e5855d4beb11c87f435b49288fe22e3271

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
320KB

MD5
f2e05ff5c68c4724ad6f9a7cf548b939

SHA1
977f87b808919286486736cc44e15b616b33088c

SHA256
f90f41c1746a5cfbfddacf1c18cb5fab37efd7d172770e0f89e232574b3101dd

SHA512
9d9d6f92efe7f676133aedfc5aea96840bf894c160f231b8c3d87951ad7d618eedb4845ad82659210784eacce8e2f597d07c0572031b943cc7a39ae7dc20cfed

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
320KB

MD5
0f8da0053edbbc9b697f7632e0f01792

SHA1
97fdfe00578b8817d0064f9855c06d0802bf04bf

SHA256
f8aae37642a88f538f2bdf264960b355acb0aeec7d32143db9caa40f081ca668

SHA512
50b69ddca6c37df826eefde914779a69ce89e1b0d8648237fc6feeba672af05c69e240806c46596f26d236864ea8c168feb8a06d0c540b434a6dda92194990a5

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
320KB

MD5
fdf2c5437bf323aa36a63dc3b55f65bf

SHA1
31b05ec9fac0f55fa248de3046cbd180858769dd

SHA256
68bdbd7244d3ce99e6b6e7ccf1300a23a22381f2dbe209f4ecf370378d3a55f4

SHA512
da1950e007e3dc77e361d7e229fb8e19fe6dae0c54ef0b17811269b4f1c294397dbc857863081d037bd78f75a4d166fead6a6b95c67c6aaa77c8a6b39224e122

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
320KB

MD5
3f01503e7e14e93ec71ea5ead2403a9b

SHA1
3a29d02a9e35bbddaca6a18a4196aa3284df4190

SHA256
5288bf186928090a55b3f64f772a71f5c3b6bd68152e7d67fd8173ad0a3bd54e

SHA512
c0c6a829b10c6f9e6a03b309548e452fec471f8be963b07de60d81f0a0c368388b8aca50fd5e22b2dcc4befbe6ef720037f006c6209d8c1a4715898256e63cfd

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
320KB

MD5
8e6f98e875e3fc76d075a6ea4e4b716a

SHA1
d8f6d0a8abc21c8978362048dee044f62e4bbc5e

SHA256
e0b962837df1235fee3cdd0ac105f3bd167c4844bdf84f2bb808fef2e7cddb2a

SHA512
b68fd4cd21cea494a5293da4966b63c6f0f2b06c9a80db9a9fc6f77b303a906a253b2112b55399d381eb05310d75102d6f0cb48974576e85cd0a304aae540b1a

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
320KB

MD5
cea6d9da084a0af9c3334a16f6bc078d

SHA1
73f82dfd1b6268bf2e67b1e2691b4fcff9a20a42

SHA256
b5f8c2b6fdabf1554db6dd0aa3bcb277aa19f47df366c0d25bce5da8b1dd7370

SHA512
6ce7c244ca3d01a1281b7e28f9a62dfb2efbf5aee980637efd08127c638715dad61eebddf8c8646d06a7cca3ac775e76db48fb9f005abf60e721badc65b5491c

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
320KB

MD5
33e39174da27a22cb4fc2767b81c006c

SHA1
f69d588ffd2b3b00ea20489abfe7328654e01921

SHA256
d3cbff518d06d461bb47193f7c4987ff8bc640e56238fda3b5556cc6c155ac9f

SHA512
0be891bf3a930ede74d40538030925b2ce7f17fbc9be099ef56c25f1b3809cb1b411f0b3f7da917b4d66b4f8db86b248259eeada037df21b9c78c0bf0e3b8ea8

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
320KB

MD5
f4d08bc0bd055b1578c9e237b7bac171

SHA1
40f536e7e25eec20b87f2d9bcab15707791d7d62

SHA256
63594cda2e3137206957692b94cf795fa6d31648a04d600d5d1df9ee52c5e6a1

SHA512
7f1bd28730f401c81b6353cca7366f3eed14737f91af2b31af5bf4c58ada20a00c335621c0da69ea7b7517308246463770d4c96b6960266c60fe43a74395c7c8

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
320KB

MD5
ce1c2da03548a4dc32edfc73e32f4127

SHA1
3b97fbd87ddfab96ed80a7fef355bfefd528d326

SHA256
1dcbbf29d3a04cbecac0d3adad68fb90467260c0db19fd66d07b5897929fd533

SHA512
21c55b0049ba04533d8847fce346884667fe8ccc0ad4293e680dd9074bb4194602e0eaabbb3fdd01bf7340f7de9caca9f7a41012130105875c6059b3a722b11d

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
320KB

MD5
5c704699722b1eb81c540e8d57ae4b9d

SHA1
6190b3c8798fb5a3721bc127d869b6030b4c7653

SHA256
674573e2459cb5dcc7ea893fea853b663d8a32c6cb365ae1872dd51f97ba7ac5

SHA512
b89483e655e23397a6c7dd38df7a756d0e7e4c8d5a5a2e7bf56c359850a1a9b76660e068ae3e5f711a820d9072a9c25e83f5638ac1b51cb55551d2602d05780e

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
320KB

MD5
fe33935a2524722834774aabab3ea71f

SHA1
319b3bbae41ed00e7b1a44195a30a4ad77bf3424

SHA256
11300798e99302f04afd4c9671149549f21c33f9a751a9a88ff8686aea2a9a03

SHA512
a3678fa7706d1d1753961a255c436979059b192cd422b4da7eccacaf23ad89c1ecfd72a48e178609ea881e213d5f612a5d1f0f3c363c1d1b18ba7f68f35160f1

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
320KB

MD5
1702c0a6f4e0bb2530fb67d28a869218

SHA1
5c1967c02dc112ae8cb3dd34da6cf2f97712af31

SHA256
cc969be8dc73072d9c4a763a9240172417dfe18e2fd1447c2e7b77ee374c6c65

SHA512
a1305c869d45fc090ac0fc6e4bc069e605f234bfbf801fd10cec74e25bc6fbdb5fa1d97bd7b0e14d5c41a95cc0729cd4dce3e5b3a57c4351c4722e4e20b711af

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
320KB

MD5
2343957ec43b3c523354c1df69b53f3d

SHA1
63fe517bc017df476db5343d95d8c12f1a732256

SHA256
759a002897003fe168c7c50ec62fc7e5ce6720b862c64bcac4666c3bc77a2c8a

SHA512
ae22d95cc0ee45958a704054d0a1e989c3b155b7aec480fd7021aa3a3b39cdeba2501651c40869d0f1cf2c92e0fed5827081ee0c3a2c520ee2cfe8cc8288b0f2

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
320KB

MD5
2dee06bfe18c1ceae03d97cb82c189ad

SHA1
066ec022d89e84418e7cdba988a2950753b55e9a

SHA256
7df17c1a4727977fcd3f950b50c02badc83b0cc727ecb386e8c5e47f91075f31

SHA512
c8657c2f183ecd8cef5ed99ebe704219112f25d0bbe6153b44b4f7f1eb67e8083fd76991c76dc1ea82ea08aa20716eed939a677b53e30557f2a4abda319fe1e6

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
320KB

MD5
97f2b4fdb8537da68bb20b459cc4117c

SHA1
efb05e9dcaa50367c35e465ebe48d787ba99df83

SHA256
99a7d136919411e90a1c523760fcbd55dcd3c3a69a42365ed0da355e84117c79

SHA512
e7d66a8cac3eaa32288549bcb7e6bab176685d51cca63640a88b1b6972ae315d5a1b2e812a7e32a27df00e2094078ad4ade9fd6f35f68580c5a85eeb3113ef1e

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
320KB

MD5
403f1a48bac0c650f0e43350196f313f

SHA1
81bf83f842ae968815fb07d1f2e096364e4286f5

SHA256
9a62a1aff17cd9e294b3aab9fcd93377100ec88902054fc0db9af91901e7337c

SHA512
4fed998e4f4ae1827dec83ef0014ede760f114024bb3dad3e4e7a4ff3b7d0acedea54d2fafb05a83ecf4ac3c0104874d9db8b3c3c90bcc3a7a3c3343d9997c0b

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
320KB

MD5
451f8689171610032ad8c4918832ca1d

SHA1
2ba4b17c27916cca20ccd7892eef6f87fa687bb7

SHA256
034df0725c37ec861c6e9b98f5bab4ae323935df521ee307436e3b63f6138bce

SHA512
8bc714e71f17e12972e5676d10a3692879098d730eadbc8e7f07e7b83422c48d08d131c6cdf68e9db095dc313096730a0420582485c02505f666fc1cd4aba548

Download Submit
memory/216-216-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/224-308-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/364-224-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/432-366-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/536-177-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/624-509-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/992-499-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1200-432-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1204-320-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1264-314-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1436-637-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1436-137-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1488-565-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1488-40-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1600-161-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1640-208-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1820-493-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1836-236-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1856-378-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1916-288-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1972-1095-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1972-395-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2116-470-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2212-452-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2316-1053-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2320-644-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2320-144-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2332-636-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2332-129-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2332-1175-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2516-57-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2516-573-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2644-332-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2688-540-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2688-9-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-290-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3012-619-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3012-1179-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3012-113-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3028-296-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3040-547-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3040-17-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3088-464-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3144-271-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3152-545-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3172-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3172-580-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3264-260-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3288-413-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3424-1051-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3424-526-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3464-481-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3496-376-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3572-511-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3604-250-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3816-350-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3832-189-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3920-593-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3920-81-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3924-193-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4116-73-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4116-586-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4240-326-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4256-278-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4304-244-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4360-534-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4420-613-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4420-109-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4432-25-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4432-548-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4476-419-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4532-606-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4532-100-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4564-482-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4588-407-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4600-384-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4616-1079-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4616-441-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4628-344-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4744-453-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4792-555-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4792-37-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4800-302-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4816-406-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4820-625-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4820-124-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4972-549-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4972-1040-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4984-604-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4984-89-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4992-338-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5012-169-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5032-152-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5040-567-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5040-48-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5116-3-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5116-533-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5116-1-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5156-574-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5240-587-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5260-931-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5284-594-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5368-1023-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5368-608-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5464-1019-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5556-935-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5560-1015-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5604-638-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads