22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7

Analysis

max time kernel
131s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 23:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe
Size

64KB
MD5

61ccd9dd212c1a62be239aebc2cb3d50
SHA1

dcd06f5635c5918c834e32283cc9168b3bf64ea0
SHA256

22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7
SHA512

e9fcdaea49944273d09f020d68433a042ad5e03059b050646d3d0b4d58dd0f5ab8c89154c44da603fa8bb71afcc5a4144a31dd0a553b2c48425028aa87f0cb90
SSDEEP

1536:YkFQETSVdnNr1Zca0PkZFEGWOsT8l4110tXUwXfzwv:aVMLHn105Pzwv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe

Executes dropped EXE 64 IoCs

pid	Process
4444	Elhmablc.exe
904	Eofinnkf.exe
4104	Efpajh32.exe
5080	Ehonfc32.exe
1176	Eqfeha32.exe
3284	Ecdbdl32.exe
3936	Fmmfmbhn.exe
1620	Fokbim32.exe
2824	Fjqgff32.exe
4028	Fqkocpod.exe
4840	Fbllkh32.exe
4180	Fmapha32.exe
5020	Fckhdk32.exe
2596	Fjepaecb.exe
5028	Fqohnp32.exe
3320	Fbqefhpm.exe
4240	Fjhmgeao.exe
2300	Fodeolof.exe
2188	Gbcakg32.exe
3956	Gimjhafg.exe
1932	Gcbnejem.exe
4052	Gfqjafdq.exe
2996	Gqfooodg.exe
3772	Gcekkjcj.exe
2668	Gjocgdkg.exe
1576	Gpklpkio.exe
1612	Gidphq32.exe
5000	Gpnhekgl.exe
2480	Gfhqbe32.exe
4484	Gmaioo32.exe
2656	Gppekj32.exe
556	Hboagf32.exe
232	Hmdedo32.exe
2296	Hapaemll.exe
1324	Hbanme32.exe
3996	Hjhfnccl.exe
5012	Hmfbjnbp.exe
688	Hcqjfh32.exe
4848	Hjjbcbqj.exe
4968	Hmioonpn.exe
5100	Hccglh32.exe
3040	Hfachc32.exe
3324	Hmklen32.exe
4552	Hbhdmd32.exe
1404	Hjolnb32.exe
2276	Haidklda.exe
1988	Icgqggce.exe
3692	Ibjqcd32.exe
2804	Iidipnal.exe
1380	Icjmmg32.exe
1516	Ifhiib32.exe
3812	Iiffen32.exe
3440	Iannfk32.exe
1940	Icljbg32.exe
4904	Ifjfnb32.exe
2984	Ijfboafl.exe
4112	Imdnklfp.exe
4828	Ipckgh32.exe
2868	Ibagcc32.exe
1468	Ifmcdblq.exe
1692	Iikopmkd.exe
4368	Iabgaklg.exe
3252	Ipegmg32.exe
3712	Ibccic32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hboagf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6852	6592	WerFault.exe	261

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4444	3504	22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe	82
PID 3504 wrote to memory of 4444	3504	22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe	82
PID 3504 wrote to memory of 4444	3504	22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe	82
PID 4444 wrote to memory of 904	4444	Elhmablc.exe	83
PID 4444 wrote to memory of 904	4444	Elhmablc.exe	83
PID 4444 wrote to memory of 904	4444	Elhmablc.exe	83
PID 904 wrote to memory of 4104	904	Eofinnkf.exe	84
PID 904 wrote to memory of 4104	904	Eofinnkf.exe	84
PID 904 wrote to memory of 4104	904	Eofinnkf.exe	84
PID 4104 wrote to memory of 5080	4104	Efpajh32.exe	85
PID 4104 wrote to memory of 5080	4104	Efpajh32.exe	85
PID 4104 wrote to memory of 5080	4104	Efpajh32.exe	85
PID 5080 wrote to memory of 1176	5080	Ehonfc32.exe	86
PID 5080 wrote to memory of 1176	5080	Ehonfc32.exe	86
PID 5080 wrote to memory of 1176	5080	Ehonfc32.exe	86
PID 1176 wrote to memory of 3284	1176	Eqfeha32.exe	87
PID 1176 wrote to memory of 3284	1176	Eqfeha32.exe	87
PID 1176 wrote to memory of 3284	1176	Eqfeha32.exe	87
PID 3284 wrote to memory of 3936	3284	Ecdbdl32.exe	88
PID 3284 wrote to memory of 3936	3284	Ecdbdl32.exe	88
PID 3284 wrote to memory of 3936	3284	Ecdbdl32.exe	88
PID 3936 wrote to memory of 1620	3936	Fmmfmbhn.exe	89
PID 3936 wrote to memory of 1620	3936	Fmmfmbhn.exe	89
PID 3936 wrote to memory of 1620	3936	Fmmfmbhn.exe	89
PID 1620 wrote to memory of 2824	1620	Fokbim32.exe	90
PID 1620 wrote to memory of 2824	1620	Fokbim32.exe	90
PID 1620 wrote to memory of 2824	1620	Fokbim32.exe	90
PID 2824 wrote to memory of 4028	2824	Fjqgff32.exe	91
PID 2824 wrote to memory of 4028	2824	Fjqgff32.exe	91
PID 2824 wrote to memory of 4028	2824	Fjqgff32.exe	91
PID 4028 wrote to memory of 4840	4028	Fqkocpod.exe	92
PID 4028 wrote to memory of 4840	4028	Fqkocpod.exe	92
PID 4028 wrote to memory of 4840	4028	Fqkocpod.exe	92
PID 4840 wrote to memory of 4180	4840	Fbllkh32.exe	93
PID 4840 wrote to memory of 4180	4840	Fbllkh32.exe	93
PID 4840 wrote to memory of 4180	4840	Fbllkh32.exe	93
PID 4180 wrote to memory of 5020	4180	Fmapha32.exe	94
PID 4180 wrote to memory of 5020	4180	Fmapha32.exe	94
PID 4180 wrote to memory of 5020	4180	Fmapha32.exe	94
PID 5020 wrote to memory of 2596	5020	Fckhdk32.exe	95
PID 5020 wrote to memory of 2596	5020	Fckhdk32.exe	95
PID 5020 wrote to memory of 2596	5020	Fckhdk32.exe	95
PID 2596 wrote to memory of 5028	2596	Fjepaecb.exe	96
PID 2596 wrote to memory of 5028	2596	Fjepaecb.exe	96
PID 2596 wrote to memory of 5028	2596	Fjepaecb.exe	96
PID 5028 wrote to memory of 3320	5028	Fqohnp32.exe	97
PID 5028 wrote to memory of 3320	5028	Fqohnp32.exe	97
PID 5028 wrote to memory of 3320	5028	Fqohnp32.exe	97
PID 3320 wrote to memory of 4240	3320	Fbqefhpm.exe	98
PID 3320 wrote to memory of 4240	3320	Fbqefhpm.exe	98
PID 3320 wrote to memory of 4240	3320	Fbqefhpm.exe	98
PID 4240 wrote to memory of 2300	4240	Fjhmgeao.exe	99
PID 4240 wrote to memory of 2300	4240	Fjhmgeao.exe	99
PID 4240 wrote to memory of 2300	4240	Fjhmgeao.exe	99
PID 2300 wrote to memory of 2188	2300	Fodeolof.exe	101
PID 2300 wrote to memory of 2188	2300	Fodeolof.exe	101
PID 2300 wrote to memory of 2188	2300	Fodeolof.exe	101
PID 2188 wrote to memory of 3956	2188	Gbcakg32.exe	102
PID 2188 wrote to memory of 3956	2188	Gbcakg32.exe	102
PID 2188 wrote to memory of 3956	2188	Gbcakg32.exe	102
PID 3956 wrote to memory of 1932	3956	Gimjhafg.exe	103
PID 3956 wrote to memory of 1932	3956	Gimjhafg.exe	103
PID 3956 wrote to memory of 1932	3956	Gimjhafg.exe	103
PID 1932 wrote to memory of 4052	1932	Gcbnejem.exe	104

C:\Users\Admin\AppData\Local\Temp\22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22b7419214a39565f39b18571d2e7afa55504bc55fb2e81021ff530b5467f2d7_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\Elhmablc.exe
  C:\Windows\system32\Elhmablc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\SysWOW64\Eofinnkf.exe
    C:\Windows\system32\Eofinnkf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\Efpajh32.exe
      C:\Windows\system32\Efpajh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        26⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        29⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        30⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        31⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        34⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        35⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        45⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        49⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        54⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        55⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        57⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        58⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        59⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        66⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        71⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2420
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        74⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        75⤵
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2588
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        80⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        81⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        82⤵
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2268
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        84⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        85⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        86⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        88⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        91⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        92⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        93⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        94⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        96⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        98⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        100⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        101⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        105⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        107⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        108⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        110⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        112⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        114⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        116⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        118⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        119⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        120⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        122⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        123⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        124⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        125⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        126⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        127⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        129⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        130⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        132⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        133⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        134⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        135⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        136⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        137⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        142⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        149⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        151⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        152⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        154⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        156⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        158⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        160⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        163⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        164⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        166⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        167⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        174⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 408
        175⤵
        Program crash
        
        PID:6852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6592 -ip 6592
1⤵
PID:6736

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
64KB

MD5
5dcc280a8a6cb676b7bc5495fb7ca7b9

SHA1
67d3f4de5b17c5440bfa4f2b51e0049e0c522600

SHA256
4b9b31679252a00ef05e68ace7fe7537be512d77d0c11abe190de591ed4fe657

SHA512
d271191e5ecb8aa4e034ee2b97ac9a34cd2bdf9ae9cab1775ba3d6a018b9fd42d65a18f120822a271054e72379f72d806e3d9c89764613c585e501da9f54d14f

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
64KB

MD5
47cb2c69754a945f9e0c138b1652cbd3

SHA1
0744f035e6e0cff4b416fdddd923529044b8a0bd

SHA256
eff38fbd869d3b0c0b17b1254c408473c32bad0c44ba14336ec544f30bcc560f

SHA512
33f1f6eae87d6567a41db4cc7f124c1f2e0c639835996a2239536eaabc4b2c08aa40208e8af607674b2a3b17c3103a309b39556df688ae0ed93f5eb2041d97c7

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
64KB

MD5
34d191df7fe3584fe448dc68ef3acec2

SHA1
7b7408e0e68b68de4a9703449cf67b7729a06a78

SHA256
0228f96f470db63127a00aa3ce311ddae8848f2a607381643c73f30c69cee422

SHA512
f3d8f6966187b5c966c966bbc74108b4e70f7ab100a367eaa9d94d75fbc3af6386997ce2e4941c07249f4b3678d8dad93ec108269212e0ca8092ab7c58ee9667

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
64KB

MD5
9325ec51a53fea49b52d7c423263eaa4

SHA1
0ad7814bbc559776f98a6135b726fabf7f070cab

SHA256
38ab460a0533a4329fceb3a221f301de9b01c04363b10c760fff25a6bee8cf54

SHA512
1b9881489bffffbaa3f050ea921a5a9a8c01b09d319454fe297ead0ba68ea3189f29e6c25538404b16adf0e85dda7d70511a6226e425eb4229f21372e50ab1ea

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
64KB

MD5
540b2db1ec0ed0afd6d2f36e882bf4cb

SHA1
32552913046dd34ff2f004fd8ad59c92d0d27cbc

SHA256
e0a820b2b7f648bf785565b30c72a0ce2a5c43c46fa56940d91c18089ea86e99

SHA512
1d698467494ab80c31834c350e97c96fdc57a20d0a9aa521e3cdb95e1a8f05a25a7ee5929e7226b1a4a451bdc5f069aff520ec8edc6fdbc60a41755c595db11a

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
64KB

MD5
cd1979514200ac1dca1325cb3d6080ed

SHA1
86cea7f1119aeaa98bc1f6341c30ca6ec4ff38c6

SHA256
10afff92c8b3004e8ed828a7213161351d4f465ac1144105fd03b1b3b09c08bf

SHA512
92d9c4d6d88c075b4249f0a24ac7a447e31c24ec5fef7dd63c2aef392739f2d44bcc90fc8e1c7d2f08795904fac5d442610c10631325e2784bc55faf64ada869

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
64KB

MD5
f9489396c8d8aa6bc39df83a48e62266

SHA1
e83bbb2dbe51f3a6905c67630dbc4da7968b4605

SHA256
4bb56de92f625dd137904e5f1b09d9574acb0279a8f2dcfe5e46933fa9be0685

SHA512
e313f6f69270d8d9fc8bf0dfa108203f472a04258e20d4fc5890feb71487b0c811e8b78909dc10b9536cd7ef190e24caf8f7f3edf02c23b730783b8393f3f7b7

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
64KB

MD5
daa76925d4d33aff0298b0276a6c9e3e

SHA1
5e33dba26fb0237292d08377c11d4d1c7ff95997

SHA256
f0a136b8ceaf54fd83e726ce4e7f67ea3f0da998bfbeda58ea46d0b4e0614def

SHA512
684386a3c372f25eafe2a4a40054f9ee210cec6e79f5c60da6b8ba8223fdaa1a6859c0d33eaf131169159b2352eae63a852185948399f33046fe430e4efacb17

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
64KB

MD5
bb34fb2f4bf3cde95efd41763b4f622b

SHA1
29f384814434c97e10fac884320198eb408c4a00

SHA256
ecdef964dcf1429027454c69452f4284005ccd8a442018d7189372400413fe56

SHA512
3e162c85bc6a9fa37330ff68ec3c3d574ebd93393adabdc183c10673959a5b8d28ad11285e356f6251cafb21bcf2c6c443ab5da978beef3f82671f3c570689d0

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
64KB

MD5
3448b5daf935cb983ceff6d45184e583

SHA1
37c2b70c4f3483a1610390828b74bf8d5f06fdc7

SHA256
4ac22830e1f3daf11d05eff36d735b9200045895b0f6fe1c7aeae0e54279ad13

SHA512
e832da31a83d3ed820ae3c610d9078380ec18b2eca381f3d9fcd770437c5bfb083a25c7b68a588bfcfa4c37482cf005ad4bc1160743f5dbe1c56e0a9fade1556

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
64KB

MD5
9ce89a86a96794ceb7468a2502d3e3b1

SHA1
7d264fa037235fdc4dd10393739dd7c576f9bd79

SHA256
b97b3d13faaaf09c22084f3e2e81154211c9a7434f235348ed97dc13cc97649f

SHA512
b5584605b336e39291c9210231bc53914bfb66d3be8bc139d52941ec274e6bc9d6035fa5b61453a8ce5820d3707fbf7f4d062ca9a9fb42bd8de0fedcb8873cb1

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
64KB

MD5
5ecd2c7e94342c0a4f61bb183ad3e240

SHA1
5e33b9c314638aaa367284e3c317829373a6bbdb

SHA256
fec9008f74d779b6604f00d494392e97775a89defd726d1dcb798e97b65e3055

SHA512
eb3c021645732c26b534b85bdf856f4f8feeb2f22abf3aff528acbaa8d116eabfb561c490a682c348b203ec28cba8f7e062a311a996fda060c96ef9c46747d22

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
64KB

MD5
6186492f58d9e79c09e63051faa66eae

SHA1
0f85a1d4c6630203e20ddd05df9370fae1d7d165

SHA256
d66b30de511900fc3c22adf7399577b2fb90e81677fe9b54ce3bf6f1b249625f

SHA512
c12350ed78756c412b8346ec08befa8c05b404a36e5c56f29904d28a3043c10b5664ec45ca0a2ab0a379b5c7918f21b7575828cf3fae695b222c082c37af002c

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
64KB

MD5
814d34c17c030cb0d551267fc1998625

SHA1
4bd5ca75b911f4b023d22df8a740d3fb194f1a0f

SHA256
39e84678ffcfeeacef57c22ebfcaaea2a0f10ee8ba0c5f734e9768c7af3bd7a1

SHA512
615456258792b874067da07a777162e4384148df1206a705314811623773ea608d9d596607c7a4cb4551bc260e61d359b2f9179fc765c0c715b9cf19a3b61940

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
64KB

MD5
a7599c809ef53d9f81beb0c876e196fd

SHA1
4e1d0e87954d90fc27be112a68ada277b553ec29

SHA256
1b96d3ff8d5aedb6f0f657b1fd676205098af2e51dc3e5a33be3ab85ef6543e1

SHA512
f60b6904ab0525d6a0bfb546a59e6b10ba66f4e53382f84016c3e7acd62369fa20a91791147fc16414fe68c752bf1a78b7eacd22516a168d13b35a2e2dcd7044

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
64KB

MD5
b121fdbb6114f100be48d1d5ad086ea3

SHA1
abd8012c48482227fc5c7f3eae75c38dbc9aa210

SHA256
1aa4531e6b97416cefe1e15eadee7c6ab5dda3a6b8306c174f9cfc261d7d66cd

SHA512
eec0de44ed114b691acb741d46083eae213f1f1be13b369d8128e1e54a546594d0aa5ffc10d92df408c6e50186971931cbabdcdfef895821d5fbbf8e71ddb958

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
64KB

MD5
2690edf6837c9a094f1a43d9f78c390f

SHA1
7618f10309f46f62e54183d29bbcfed3b83c4045

SHA256
5fa60da0d178c1e4f8c3c257bc2217699aab74cac6a87758c18d71b5d1c29b81

SHA512
817a2eda90eb57846a3c0bb82ee4f485ead5d1e8b8082c7a7cc0f6440d8745261aeccc4e8954e90b8965760f90c0efdb69e3f08555b4100a624de216e3c9eee9

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
64KB

MD5
c975f198a8c196d0105c844b5a090188

SHA1
ce48b9fc4e8268b71d93cb0f835809f648d2c0f2

SHA256
2af06bd7302f6c4829bb0c8e8c2d74cc656681c3da2ec568479b783d4c2a8afa

SHA512
484db5357acbb0f11288ca4d84521060198436c3d115bd3b93e46353b78ee941623bc03fef7da92235b832ea381a5c0d6ec9d1226ff0a010964cfde538c6eb95

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
64KB

MD5
63a7b8510b96ec0c618b18141e971576

SHA1
1e8045eb2979e0ab5dc1a3795a33fc56e4d3c4b3

SHA256
cc896025137360a1b86c18d505e3be21fe1e0bb3a1f97278baafda022191d748

SHA512
117fd396f966da8b5a600abc5c1d54872f2bd20290af0499b48df763f250cb94c6fe586268fcf695ce26e4ce65400dee67d74144570c544c88b174ad1b29f1e9

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
64KB

MD5
c5f29e9fbdee60d42348c289493e9535

SHA1
472eadf22f1009cb806899926545eb578a0f9c6d

SHA256
6bb75d497df7ab56910adee0814151e4d15807be5a77de9c8e790972614fda5c

SHA512
9b48b399329635896d1c344104c4d0716584dfac72d75d0c5d1a6dbfd0dc449b193665d297fc64a41de7d65e97eef1b1a4d156404258f24a87a17b15a32463b1

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
64KB

MD5
b6b369d752915fc895b1cc32a5c34ecf

SHA1
6667d1e257aa8303f5247e34212c7b9f690ecb63

SHA256
a1a544f6106c8ee6da6844dcf239028d4123e21a343d3a737d3b54932135ac86

SHA512
9452086a14be759ea688592890e1a54c083f0a33ba57e2062ef2e82a0a33ec59a25d61a91fc3d55fe0d93628f61f70d451a4f47395ec984f41050c516d5132e5

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
64KB

MD5
384934a1c1b83444e2adcd349f7ee34a

SHA1
fac9d6cdfac47c6a0b89a4aa494e5c3eba4aab88

SHA256
7088de457f2db8e4c1e439682d02373b4daaff50cea4ab965d07a7b23652e90d

SHA512
c0cc601caf331c3a612be664dbf38f9272727b77d4a347de3591f5c77f82d1708e0125e9cf939a5b6ac4db245472453d7d88d5965c732ce40939a38d909817d7

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
64KB

MD5
d11a8a40104552a3963d8cdb1cb85a16

SHA1
c03ce0cdcffedd06c5ff61a8c652b9f432a07fe5

SHA256
c9145e107917b2a2741be3fd729af749215cc9da55978f0e2ae617237d2ead26

SHA512
7c8cca1a6111b96c6648a4b161e85de920190ebbe52b316708c09b12e4bcbc627e5a2003292044a4b2bb26643a6312f1ea9d62545e1100f82c5d017287e2efb5

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
64KB

MD5
00f37763f3d7205cc27d7dde68312ee0

SHA1
e25d7c11bf45becc4d964c29faebf4f4b7dcf2ca

SHA256
83a6886aa8c5f835aece5c33ff1e522307b7e62d64f9b8c94dd547b204064694

SHA512
00b88255662601001862881ccca1b453adc0ebe9a8309866b131dd81ae03059573c31c1a88f810140086495ac9b32f8f63eda597fdb891b1761f1dd1dd494c6d

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
64KB

MD5
fc399e2881254d61aa8393eb5bbf2d55

SHA1
656eaebaa42e19c3feab6da97d2609b2358dc479

SHA256
8bef62e395101d94af355aae5344f78db9240db7e0028bb76b1e364bc7f2f298

SHA512
b6bd4cbe0a78b33b55a64a324dd1aa0d54a4cb0e4f83fba9b7dbf8ba0d49e5a7a11c68d98950b5c88b334f5cb8c8aa1d7fe6b95689122779bb7643aa365b7a2a

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
64KB

MD5
2e6456e06ab5adb5ec86af25a6d0bdec

SHA1
347acd28a139bc257457e722ddd4b06d5b81af28

SHA256
e6e0fbe8fbfb81728faa3b62b006bed088bd1f52c325c8a3316f40a90f6681dc

SHA512
946f483a46bde1a8d9a50322c548724f202c65e7c7253df46e5736743531c2ae4840d47ec55861330a414fe0cfbb7ee40aa4af81eed5329dcf3f3f3955b1e089

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
64KB

MD5
5144ee83ab547d09b12e34fe2b95771f

SHA1
c4be3c0326cda26bd35be8e2f64417b9508e7bf8

SHA256
4cb385815c8d4ac24a45eb00a50210ba00cf7241227ce4e43c6e930200430136

SHA512
07f71c697b07fa7f9839622c01b5fea44e0a3ed64b4c7110ce96e183bd71145ad0f2f95eda2845a621ae5e87bd97a47beea064a46ff6551e8eaf4abc5121a247

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
64KB

MD5
d15de2bbe9a272f3c61279fe3ab55175

SHA1
219855cee3b33c0e1871e8f1e240445730ea9b44

SHA256
1c31139047609e3d00009ee1086927b9447a5724126ee4068c47fafc826f8097

SHA512
d785e78f9a0aecd3fd2d7b8d1e86e74c39c2fa10b7f809329b4522d3520cad0775c65ec4a6760ea5bdef8d7e71ba120ab553982a09dafe5c23a17503dc175df4

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
64KB

MD5
2d8e88caf14b72cbcc1b4521c285baca

SHA1
671fdfa1a2ffb8482464e88323971d401c60d8f1

SHA256
0f11fb394fbd83413e47770f5307e3630ba872594a60a962120c777869202093

SHA512
4f3ebf675f4d41c0ee3c6f38d25adca59b7e3ed9068fb7042477093db09ad453896252df2f4e03d8e383728f27aee11e9cd26aed8e7a766309295fbf4d4c5625

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
64KB

MD5
8a344fb8009f22c981e2846198dff139

SHA1
cbd8e859f57f784fcbb0159a9b98f7a65d28e39a

SHA256
a63c07c34e7ce3cbf19c5780593c74dbbf7101c85df0ed13384ecf32d252144b

SHA512
945130d7ad761301dcd263a6d75aca362e5557f08f812c675e8a2485a1f177b955a7be7c6efa2eeed3f0c5c5399668f53ae87afbc24e59a97e8c94024a352a88

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
64KB

MD5
24f18f4c5a2fa57928fdf25817cdfe28

SHA1
463ce22f564a337a9cf4d07957ddbb758be31450

SHA256
3ad810af05ac993a833481b7a0828c3917638d3f74821fe2a336c009afc5433e

SHA512
bbd124033afc3b459d609db24e121c8c573355b7cead14e67a648713736b8e96da61dc29ee4edd56f88155c000a1eeb0079fea39578e2811bd811832236c4742

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
64KB

MD5
47aaa2f0f52fdf2c82f6a0c3b91a6cd6

SHA1
faff36a652de7c7346794cd1af9f16327e9c6b5e

SHA256
63d8fc28efa15f58826fea107cd64c44b4d6fdce29ff154947986c5dd519338c

SHA512
6f1f90801633c3e99c03601645452e80aba9505dde3caa86adec068c7d7ac0e1169f23bef07a0d7c0f572f0f1ee40d917391458e1e277ed76a64932fde4a32f1

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
64KB

MD5
b6ed861812a36df18ce6da6fae416715

SHA1
f5d7d77256e22b3ba4b3814aa91376df21d4651a

SHA256
c8fc6f5297b9644c7c28d1e2861ba72eb419f0d32874a0a9a89fb6efb118ce3a

SHA512
e62061c549189fc0474ea1806dae0cca40cd9aefae1a403049a72cfb1e6e8369b83132b46f87cdb79d0169d725873340a1e3a858844a1b9bea069ff2ce6a6cd2

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
64KB

MD5
2f62aa9e751ec7c4b992b8d6c3097aaf

SHA1
55608b1b0934ec467be1cc6f4a632e56dda6eaf9

SHA256
155ea7642ea88d5baf634d964c4cec1280b4bc0330dbb4c021d2f2e7eb9e8c8c

SHA512
bea0ff62252d36526aa0d2da47663ef6b73558d035cf44287bfcc969e2cc29c4ec4fbc789581f58ad2d8dc5a4294b39059a79ce31c59ae33437a3001e5a9a926

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
64KB

MD5
226c975837b05e9b99e6857a6e2fd9cd

SHA1
7fe821fe1fbd802d32be7c9e63f688eee040e3a5

SHA256
e695f6a95b7a2e41c109049c682804d7a128893e221658eb2ee46de5167bccb2

SHA512
be609d3b5bb473d9ce978763346022b8f6831ce5befe26bcb9d50c8087dc7649470c32b772ad924381e402d4330ae12b027685fd02362a92dbc2c64a1a874881

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
64KB

MD5
298d1be1935621a3bafb94b2a96aa9d4

SHA1
0afd08dac41137855e68b2e6dcdb8d09568cee8b

SHA256
c4096204845e00cf76e03b9ad2b7f28317739df756c193180c28591f128bd805

SHA512
04b8b92a23444e588904eab93ef6e567489d3015ab22cc422ec22ec776029ce7e1a6aa98f4e5aab3e30ad151e5c9d91d167daa04883d81a21d78cacb648f87f3

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
64KB

MD5
4707a08b3fc5b05da62a2b2772c1ba02

SHA1
b47e965a2cf95368226c442c8572896fb410cc1a

SHA256
04c738b1e04abcce067f5633fc056e11a00b1434e1e2c0b02aa2d251f8c62477

SHA512
2b7b86f60d6303f49a02bcff02b0bcb18ec6bd2b1dc041c835d2bd607d2cd0e411fa66639d64b6aeb157bf56f714e9043b69fb328efea738e1096c461dd64307

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
64KB

MD5
037b58bd42247b3a2c470bb5a05d910a

SHA1
96458dbb89dabb280cb5431747685ad7fdac6325

SHA256
ea04d5b88a78d186f7b7f3a640f195bb7d4363565341301f1a27fe0987a084a9

SHA512
bf526c91cdba8ed9e5ff6169d996798b28ce99e567dfb129d2313515be651f9400aad9455b561565e32e36f6b555cb211eaab1bcd7334768d64797799bfa0102

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
64KB

MD5
d6dc9a011dfe5b312857796beb2e5256

SHA1
e3e0cc0b85fd22efcf104b7890b07000ca7f00e5

SHA256
26b2f27837eeca6b5badac1da9e9894a6e5cbb02f3ea80f046259a2b4090c29a

SHA512
9ffd5ea82f3fbe489652e95ae82ea925e2267c6f273af736eaeecf6007f4554418cfb723a55bc89988bb2b89e9e8390a4a9564ebe43e9bb844bc8930df8af80a

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
64KB

MD5
3971d5a7e4f4e497025b6c3bebf5b038

SHA1
68e0193825c5f6c2c32412a2cb518cb3ede62b7f

SHA256
8ec86d2d8f22391e51d9a0aa60105efb07fcb656cea3ac1893a3a52185ab8367

SHA512
c06fb0d2f1f2d585abfa9d8de93257658f990aadfc35ad8e8839803325db4e0b06d118d8c1717d61d530103b338dd3540407436187ad8c6f5c153fe4001c7000

Download Submit
memory/232-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/708-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-576-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3812-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3832-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-603-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5104-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5164-590-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5208-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5936-1224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6044-1215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6316-1206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6656-1195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7008-1182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads