0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37

Analysis

max time kernel
130s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37_NeikiAnalytics.exe
Size

64KB
MD5

fe942938a7e9aca43fc6637ec5795460
SHA1

a2a1312f7f0dbe79a38881aca207155fb7d0c90f
SHA256

0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37
SHA512

354d17cbcaf99217b93d538b3b58d9717bfadb5f76a4be850f019f4385ed3eea949ba004fd8d6e6a9888ccf7b81669539592db0c42b7f3a0b349d8d42316a6d0
SSDEEP

1536:2M/uBKGVmGfunudLe9Saw5naMjbK2lgFKUdI+HgNtn:2YMKGTfQMrK/KqHgL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe

Executes dropped EXE 64 IoCs

pid	Process
2368	Eoapbo32.exe
1224	Ejgdpg32.exe
564	Eqalmafo.exe
3740	Ecphimfb.exe
696	Efneehef.exe
2400	Ehlaaddj.exe
4828	Eqciba32.exe
1500	Ebeejijj.exe
652	Ejlmkgkl.exe
4304	Eqfeha32.exe
1984	Fbgbpihg.exe
4516	Fhajlc32.exe
4056	Fqhbmqqg.exe
4196	Fbioei32.exe
1144	Fjqgff32.exe
5028	Fqkocpod.exe
4716	Fbllkh32.exe
1428	Fjcclf32.exe
2300	Fmapha32.exe
4368	Fbnhphbp.exe
492	Fjepaecb.exe
3508	Fqohnp32.exe
3252	Fbqefhpm.exe
2460	Fjhmgeao.exe
4348	Fmficqpc.exe
3136	Fodeolof.exe
1576	Gfnnlffc.exe
3968	Gmhfhp32.exe
3256	Gqdbiofi.exe
3840	Gcbnejem.exe
4704	Gjlfbd32.exe
4460	Gqfooodg.exe
2944	Gbgkfg32.exe
5060	Gjocgdkg.exe
2248	Giacca32.exe
2192	Gqikdn32.exe
3308	Gcggpj32.exe
2252	Gfedle32.exe
5012	Gmoliohh.exe
4112	Gfhqbe32.exe
2484	Gjclbc32.exe
2392	Gmaioo32.exe
4836	Gppekj32.exe
1468	Hboagf32.exe
4652	Hjfihc32.exe
1112	Hmdedo32.exe
1252	Hcnnaikp.exe
4064	Hfljmdjc.exe
2996	Hmfbjnbp.exe
4188	Hpenfjad.exe
4560	Hcqjfh32.exe
3200	Hfofbd32.exe
1856	Hmioonpn.exe
1740	Hpgkkioa.exe
4476	Hfachc32.exe
4944	Hjmoibog.exe
896	Hmklen32.exe
1680	Hpihai32.exe
5016	Hbhdmd32.exe
2588	Hjolnb32.exe
3092	Hmmhjm32.exe
4612	Ipldfi32.exe
3276	Ibjqcd32.exe
4128	Iffmccbi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Bejnmepn.dll	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Fagmapfi.dll	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7012	6852	WerFault.exe	257

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 2368	3796	0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37_NeikiAnalytics.exe	82
PID 3796 wrote to memory of 2368	3796	0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37_NeikiAnalytics.exe	82
PID 3796 wrote to memory of 2368	3796	0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37_NeikiAnalytics.exe	82
PID 2368 wrote to memory of 1224	2368	Eoapbo32.exe	83
PID 2368 wrote to memory of 1224	2368	Eoapbo32.exe	83
PID 2368 wrote to memory of 1224	2368	Eoapbo32.exe	83
PID 1224 wrote to memory of 564	1224	Ejgdpg32.exe	84
PID 1224 wrote to memory of 564	1224	Ejgdpg32.exe	84
PID 1224 wrote to memory of 564	1224	Ejgdpg32.exe	84
PID 564 wrote to memory of 3740	564	Eqalmafo.exe	85
PID 564 wrote to memory of 3740	564	Eqalmafo.exe	85
PID 564 wrote to memory of 3740	564	Eqalmafo.exe	85
PID 3740 wrote to memory of 696	3740	Ecphimfb.exe	86
PID 3740 wrote to memory of 696	3740	Ecphimfb.exe	86
PID 3740 wrote to memory of 696	3740	Ecphimfb.exe	86
PID 696 wrote to memory of 2400	696	Efneehef.exe	87
PID 696 wrote to memory of 2400	696	Efneehef.exe	87
PID 696 wrote to memory of 2400	696	Efneehef.exe	87
PID 2400 wrote to memory of 4828	2400	Ehlaaddj.exe	88
PID 2400 wrote to memory of 4828	2400	Ehlaaddj.exe	88
PID 2400 wrote to memory of 4828	2400	Ehlaaddj.exe	88
PID 4828 wrote to memory of 1500	4828	Eqciba32.exe	89
PID 4828 wrote to memory of 1500	4828	Eqciba32.exe	89
PID 4828 wrote to memory of 1500	4828	Eqciba32.exe	89
PID 1500 wrote to memory of 652	1500	Ebeejijj.exe	90
PID 1500 wrote to memory of 652	1500	Ebeejijj.exe	90
PID 1500 wrote to memory of 652	1500	Ebeejijj.exe	90
PID 652 wrote to memory of 4304	652	Ejlmkgkl.exe	91
PID 652 wrote to memory of 4304	652	Ejlmkgkl.exe	91
PID 652 wrote to memory of 4304	652	Ejlmkgkl.exe	91
PID 4304 wrote to memory of 1984	4304	Eqfeha32.exe	92
PID 4304 wrote to memory of 1984	4304	Eqfeha32.exe	92
PID 4304 wrote to memory of 1984	4304	Eqfeha32.exe	92
PID 1984 wrote to memory of 4516	1984	Fbgbpihg.exe	93
PID 1984 wrote to memory of 4516	1984	Fbgbpihg.exe	93
PID 1984 wrote to memory of 4516	1984	Fbgbpihg.exe	93
PID 4516 wrote to memory of 4056	4516	Fhajlc32.exe	94
PID 4516 wrote to memory of 4056	4516	Fhajlc32.exe	94
PID 4516 wrote to memory of 4056	4516	Fhajlc32.exe	94
PID 4056 wrote to memory of 4196	4056	Fqhbmqqg.exe	95
PID 4056 wrote to memory of 4196	4056	Fqhbmqqg.exe	95
PID 4056 wrote to memory of 4196	4056	Fqhbmqqg.exe	95
PID 4196 wrote to memory of 1144	4196	Fbioei32.exe	96
PID 4196 wrote to memory of 1144	4196	Fbioei32.exe	96
PID 4196 wrote to memory of 1144	4196	Fbioei32.exe	96
PID 1144 wrote to memory of 5028	1144	Fjqgff32.exe	97
PID 1144 wrote to memory of 5028	1144	Fjqgff32.exe	97
PID 1144 wrote to memory of 5028	1144	Fjqgff32.exe	97
PID 5028 wrote to memory of 4716	5028	Fqkocpod.exe	98
PID 5028 wrote to memory of 4716	5028	Fqkocpod.exe	98
PID 5028 wrote to memory of 4716	5028	Fqkocpod.exe	98
PID 4716 wrote to memory of 1428	4716	Fbllkh32.exe	99
PID 4716 wrote to memory of 1428	4716	Fbllkh32.exe	99
PID 4716 wrote to memory of 1428	4716	Fbllkh32.exe	99
PID 1428 wrote to memory of 2300	1428	Fjcclf32.exe	100
PID 1428 wrote to memory of 2300	1428	Fjcclf32.exe	100
PID 1428 wrote to memory of 2300	1428	Fjcclf32.exe	100
PID 2300 wrote to memory of 4368	2300	Fmapha32.exe	101
PID 2300 wrote to memory of 4368	2300	Fmapha32.exe	101
PID 2300 wrote to memory of 4368	2300	Fmapha32.exe	101
PID 4368 wrote to memory of 492	4368	Fbnhphbp.exe	102
PID 4368 wrote to memory of 492	4368	Fbnhphbp.exe	102
PID 4368 wrote to memory of 492	4368	Fbnhphbp.exe	102
PID 492 wrote to memory of 3508	492	Fjepaecb.exe	103

C:\Users\Admin\AppData\Local\Temp\0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0bb91db1c2a6181125d0648f8e13fb10654cb57c8a36ac6ab5243e5a46498d37_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\Eoapbo32.exe
  C:\Windows\system32\Eoapbo32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Ejgdpg32.exe
    C:\Windows\system32\Ejgdpg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\Eqalmafo.exe
      C:\Windows\system32\Eqalmafo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
      - C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        24⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        25⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        39⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        42⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        44⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        48⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        52⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        53⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        54⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        55⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        61⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        65⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        66⤵
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        67⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        68⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        69⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        70⤵
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        72⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3296
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        75⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4676
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        79⤵
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        80⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4180
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        83⤵
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        84⤵
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3220
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        87⤵
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        88⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        89⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        90⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        91⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        92⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        93⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        101⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        103⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        106⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        107⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        109⤵
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        110⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        111⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        112⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        113⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        115⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        116⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        117⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        119⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        120⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        122⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        123⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        124⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        131⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        135⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        136⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        137⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        141⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        145⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        146⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        151⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        152⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        156⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        158⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        159⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        161⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        163⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        166⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        169⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        170⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6852 -s 408
        171⤵
        Program crash
        
        PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6852 -ip 6852
1⤵
PID:6976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
64KB

MD5
62346fbae862ab79c2ecf0afadc7b81c

SHA1
7dd03e21eaa8079efdfa6ad3c51a59992e40f14d

SHA256
cbd421177d1e8e302ab789bdba9fbdb1736830ef5f07e475c3ee64cc962d652f

SHA512
4848e96e5e3809ceb1fe7607922e7c549e40f21de47bde1a4cdb85b571ad246231a7cef8bec5a00860d668a5b83b827f615f99814304eaf93dc123b9deff6f94

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
64KB

MD5
2947be771fe88c5ceb5de1ba2420bc93

SHA1
4981c256699ec6b6b0ecfaecf6aedaf6c3c6c304

SHA256
6ad39e523107a61ade59ded8d008fc171e4cc4e5b3805c267294b13f6eae0868

SHA512
d3e9f7c0f9e23b7b1c9b6da3dae5e9addf86d4931eb8390695ef39641fb3648abc5e5834da973a172b99e8ba7f5a79c1b1ddc4a13c592c2dab92e79d6007ea98

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
64KB

MD5
7710a27f5274c19bdf4b18aefa204054

SHA1
477956bb527bebc0ba82b38e453f071645fafd54

SHA256
6ab70a0992276bb4f763783ea79187b93b2e0ab43e843c45b6bcbd51beb964e0

SHA512
692470e7c0ae2b4d0c3a2f79267d234649e057aaae76c923e497f2aaad42714ae404435ccb2dbc15750eccce7c71590797067065bf1b05fe237012c2d12ae0b2

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
64KB

MD5
70d4917dbade6e46fc5d2eb60f1dc702

SHA1
aad85fc8a9d4cc6d65f20d05e9d7991f505432e0

SHA256
097f2855e80e83d003396697a5e0a8ee8338341fa2eb5a0eb9f52d892e90fcac

SHA512
dd13f771bad6eb84552ac3d54a4440f3376749e94503bbd35a6f3829e1b6077fa32023babd968be119479c330e570537490954111c821f7a84433b7f090f4816

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
64KB

MD5
614453baf8e4c30ac57bfd031ddaff92

SHA1
e032167b6d0ba27ad42b0b9a3f1bfccfaf4fc377

SHA256
2ce6a5a07216fb15c22d781923e3b21cef22ef33ca1ce33b89e33ab2b1176b23

SHA512
d76337123b46f08678ec4c87d78d4121e6436272d5686d700b5171ac43b89bd83b8e30a68687607f0b9e42c55597672c10138fd26a9cc3463ef33e26bb79bb42

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
64KB

MD5
23221acfe0268fb681477b9652f49d2b

SHA1
4d877e7417743e759594f4f8c685953fddd50230

SHA256
fe2047097551ecf86c9084629738f2b02784d69a28cd4f572f32664ed2364841

SHA512
e2c610aca2da7773ec5e9b89e46062fbabf6d10494e3aba6626c04e3303ef7e6097ae1e605bf04976ac6c1821665859c45fb0d17fdd47a6382de671ee9834bf1

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
64KB

MD5
6f7e81ca4572e5a155422fdea592cd2c

SHA1
01659dfb4855782226d5e4c46778bee02302e8ef

SHA256
e095075f775b5be483d2377ea91ee3b5cc20a3297bc21450983b0eddd54bb978

SHA512
8789a08d1ff27c5a5b4ec3844d57a5d260a076c6aacbf7c145e04993476e08c6b823e6637ac521ab2e202f7a32548902d43cc7d8e4213893e765fad32f428ba6

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
64KB

MD5
3bf3343f89bbfcc5c92ec3868e6d288d

SHA1
68076191fb60bb77c7ad719aae33dadeec6f580f

SHA256
e058963ac78485e1c3a0bd9c3d6147db618b5202648570289f19b218457f64d3

SHA512
d16c7a29b117bb8c6e19130a84e644fb35b2a2de200272f02f31c73a429a4ee500a54b649eba39c874f66f94e0ea608f7ab1ce787bed1de3562bcde96c93b614

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
64KB

MD5
de28cf648383db6ccff3ba30c59f69a4

SHA1
319399d15dcfe327aad0aa8f5daf56a0017eae7a

SHA256
d3ac59a4b62950b1ae0d124b10b941094aa46d6135cdb7085870d2e56c857a1c

SHA512
935705a6e03192398227fbac24f89ca993e498d8125c8cc87e6e4e6c051c02f665b5d95999014452fcd7efe45cad9e5178c74eb1ea2be7dc30a3c8c12a838f5e

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
64KB

MD5
10eccceef0c90b1b049b379dee1a8432

SHA1
7b475775559c65fb1170f3a7a3425ad0b8ec2d4b

SHA256
0fc87e5a98b7f871cd015069fddfb5bb52fe3ba769ca6c58806a5cefdf93bcc3

SHA512
df7857a772c8acb3ab20c73a5e43cc4d6501ab2b493da7130a2385eda666e6b178164e0a418adfe60a90d58f1e36885b40a3ed1ee3de67658fdd273cccbc742c

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
64KB

MD5
b966e95136ec13e77bf1133e6731eab6

SHA1
e79b88ea680c716e33b59bcd503e3a10558fd54b

SHA256
ff4028185ff222fb23a0a56a0fcab278b9456e63bf424b70d85f2401eab8db7c

SHA512
036b48e82c9505a10f65bcdf0d31cded4401427c6664810cac43d5ea63583c049ea0b9a83c3c01136da4a93ca4a47076417ff9334f9f6778f0a1349cf1923ac7

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
64KB

MD5
de08d28657975b774b4516363c3a986e

SHA1
d0095dfac8c46136b0655100a349b5374ae1aee9

SHA256
aadaf0e0f2fe43542cc672f128c719bae7f697768cdb0dead0355f1ebc20efe7

SHA512
5ae870eaeb773c7fecca05c8253c710a60835f2ee008cf78b0021e935843460f59e065f70fd7937e8f7ebb393637da460db71113f4dbc1df142e35f063c4c58f

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
64KB

MD5
74ece6de88e48817646a62d4c0a26994

SHA1
9204bec5ec920a49f95cba67b786d7a7353e1bca

SHA256
a1ac527f8aa60d4ee28baf232e97a96fdfec40197699865dd0f68b384c07bc94

SHA512
7d014cf9aad4f4192beaadad9fcca861f386508197dcea8e512ce572fb77ef898403ceb0715731cc99cbd9d3c92ef0ad7ac4c24335e2cc1c7fbb0dd93278542c

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
64KB

MD5
097626b9bd0ba45960808acdaf689ed8

SHA1
b0d76caf2792471cf8e6b17ba8243ffb9d028430

SHA256
c3226543add713040c4e64e891598bde264ef44c1d8fdaff7e069d6fee0c7cb4

SHA512
6a0c060a5d4948184329a2dc69cb94d47a38d4dafd0d4afee1880b337441877a6076239881f8485f199620a37592919eb5e7ad2a99dfe095ca63396321ed0713

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
64KB

MD5
6a13f079bbd38b695216687589822baa

SHA1
91d215c19956fac78b852b8c7ca654fc6442be36

SHA256
04e06a04bb1506d028273eef1fca3ad524a70c59bd4d00a16e6f40d3a9a5bd74

SHA512
85034e94ec8421c4d57876fe5dc10401dc4c5e5a73a3ebd90f5c75bc32d313bbc80d262f4e080b462be9cbf4f35cc9a04d569fe011b314c528a6398b9365659b

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
64KB

MD5
69e20861fcf390c7314c9920aaf9437d

SHA1
9ca8d1d18a34fc3ec111c3b793bff5891297ff34

SHA256
53807c1243b76d0ad52427a3a9769398194da3c76d273831145f466d9776eb27

SHA512
d6db042e73b18b72dd715df74dc0af6aef243df4b449a4983c4a386b97bb3ffc40835a71bad1d6758f81e67ededa351473dd466c053155f3fd6c684b9b6dc7d8

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
64KB

MD5
a162f17219b923c549edccf236a51101

SHA1
89b5ad4fe441e4309d9d30e4e780ec12a072210a

SHA256
869931eb6ee77bec319e6934f8dd944f709f8de20e3abfcf58af3bc1427e6248

SHA512
823be36005b32ee84fe1dec502fc6541b0575705fb1594f45b3cd7b3af7bd3fe2c6838c26dfde7e527c95d2fac6e065b58d3c1b79a5e034f56fa2bab3de3ff7e

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
64KB

MD5
1e34b7f89e3749542d4cdfb0b065bb29

SHA1
85f855413a5a0b18b172a828182c02b374498d80

SHA256
097fa9c88fb8d8ed0fd51c04247bbe20999c5ebaee0b6caa907648a910dc2ea7

SHA512
2622ccd3456fe56ce8d7c190a25c88c8962ae1beece432f5dbfa7cd189156a1dda510a99ca98dbfbab90fc3e5e30ca4584aa98a7c293826731dfe5cc8e06814e

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
64KB

MD5
a7efbef7531267e6cf96e3b6c025f38a

SHA1
f584f9ffb35d346295330025fb97e41d5de584a4

SHA256
2eb2b60e6679afd9e52ae8b42a3c9a34854a4a1f1ece57c52521cbffd59f1805

SHA512
70be5698dbbb311cef16c69549ef9918447e716ea42cf1b0b9cdff64721b166ac1738eff0482b5663f7820015582c98142b0e9518aa7929508b854d222910002

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
64KB

MD5
e56e9bbe308855104d33a8b0d57e1ff0

SHA1
fa52f07c6242bd90422348d253a04d2e706a9477

SHA256
ae2ef4d1dbf62b1f285f13a3e000f736c80a5785755b85ee3ae76391c748e87f

SHA512
3578f7b133b0c9e5e4baf09f6f0e57f30b0b157e3cfac4ac13755f0bc2e1d1d3b95c198189ed195a27a633d5f300fe752278479b63fe7f0430b6d98f5b0b9ff6

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
64KB

MD5
4d8fbccc9d69b54254dd68b19a1f5311

SHA1
05fe9e24cff3cbf01e98b9f194198454d068a79f

SHA256
8a2a0260b5146fb97939e5d86be76901320d3f4855c414fab47eea01bbdda6d5

SHA512
992102166798f0d411b5c3a733eba7efea4a9d76d92c868ea2f3226335e1ae0384d7893a2c7079118f0a819262ad783edcf16926a1eeaeb833541cc3de8e8000

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
64KB

MD5
98b4badc0f2369413318384819b63f78

SHA1
e2660a48153bd52805d71a6971680526db3c1977

SHA256
fc92c516d2c210a4e8d4fe16dd4f9e3665c2a53f31278e377d0883d6acf84801

SHA512
836d1781d8bbaa7bf99741d8fa3364b6900c8a2eaa39aa01ccb0a48bb00169d596e8174753f10b3a719e20d161cdf86e34249967f2488585426e1a76aee2a01f

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
64KB

MD5
c0fed89c76a1e93579eb97f292511d65

SHA1
7a3212b37f2b3ebaa08d62ef8ecb6fe9f7000140

SHA256
ea2141ab2699c75f30e565eac495c58636c75ff52c80876f4dfea9eb67c1f47b

SHA512
0490a61b29f5bc32c38bf9aa72a2f1b52ec3d03511894ba32af28f2d9bbbcb623cd04e6df5d20a347da880b266274f01221c046d1d0149fd90410f09396ce81a

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
64KB

MD5
8f6e07497065a92d4b95daf58df1e577

SHA1
1f15d3a040eead3331606d4ce199965cfb082b2d

SHA256
2cd6d9bcd45ed344266914be4d4aa56940355ede18f2ffb87d5850c0e2ad8e92

SHA512
d862254b134188e51d5b6eef13f03890d07bc3fc8bb865edbec5bc1dbcf6e3d4c1094fb196c8aa7496c4d72466998bf4444b921889fc85e7144d049f99e32518

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
64KB

MD5
a418e95f91aa77fc6057472ee7f66ad2

SHA1
ab70af5ee0ddbc4dfa0882bbd14793a7032db6b6

SHA256
6fa977dfc9a5a8f38b979daae66adcc0e6c76dd62d84c1b85319f9b4878f1bb4

SHA512
a6196e04c33a518a8e7c1e4f7eb1c0adf3bcb23b4ec7b80ca05b1368559d62a51169e8027f20627469d2fa4d1fe91591cc2054a7273da77eb278fc16f358ec2b

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
64KB

MD5
4826a21510fff4049b5293a549a03437

SHA1
1dcb51783e9f32b2642184a30828457c2e9921b6

SHA256
0e23f31c9de778c8b17bd754af40ea28bfe80fbef7077e3558241c2ef3bdb815

SHA512
7ae4f50f5c6de0492c54c20cdf1939f8702184e9135a97e3677929d370c0db077194b08db1a5e76522bf9b11787c35d6f3da8978208785bd2574441de69dbce8

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
64KB

MD5
5192fd236f8b9b0a206d2eaa709e4f2d

SHA1
f07a88fa293e63abd2fc205d43ca9209b9edd0b2

SHA256
0f84d4f8b8d155649efa614e18e39575080c80f36994caf6efb3da02bfa7e2c1

SHA512
d7aa0aa5c3cbbfead42f8ed78b88dea117a5a7a899eb1dc5123b67b5b970ac9bf486a29a06efb43cdd50889ea37b40bf959af5265bd1cfb2d7e96ccd71b67439

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
64KB

MD5
224de673b66bbff0fdc75f20535fc9f1

SHA1
9dc87094e8605afbcdf3c91a2a3abe191ff67085

SHA256
38d4865a5f3d2bb5c937993b322fec53ec46cb073eec44dcf30aa3c6be45f1b1

SHA512
2ca5d32d841c19c799b35ac8f7075fcbdbc98b7972c6c7a630bd94a422e844166f133a4b73134b88f29ff4ee3b0dda77e07a0bc6fee166c44176fd2601d8625b

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
64KB

MD5
28c75cdd4d741aa700daa9501f741460

SHA1
d080207c16148bb7febf1b8d218a3d23a36f7776

SHA256
031e598e36cbd89cd3910d090437b1f8a86e6d9fd2337d1b25eb24ae4c605c8d

SHA512
8e626488ec2f5a88d5a722f485a1200ac371e98e9e2e2da533917bdcc8e2320ed68903f9e34fe1f22c04de3f622f6a0feddcea435e2bce4af027e9376720e29b

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
64KB

MD5
a7124bcc1a8db059108d1122e5464675

SHA1
414b929a3ba1ec41b2d9ac05e5ca15b6ee4a65cf

SHA256
1baed3e279189eb8dce74598e9ae31ae09c7c2702a97742df9e68158040e0f2c

SHA512
e3119a514bd0d94665888c08cf6c12d298100a8440942427ee6ecbc2c18214f4c8dd92ae30159a0d3c6f5a7762f2d61658957e87155a2b08a76dc3956f09682f

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
64KB

MD5
84538ec9aad7cf2943df06022c1608c4

SHA1
692f5adda4f36fd9151b81b4e5a8add978533f20

SHA256
66a8f4eb0f6c8c5d897c01f8b7f31c9b504eeeb1b4ab3bb920b82565d89d0abe

SHA512
8b07e723d41f08b3f8e23121e52c634de9180d6d23d638561ab4410ff482cf7ff2eb17d35e4b46e60370392f9e52c3aae448d447bf125a8457dd89109ed38988

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
64KB

MD5
de4db3ffdcbd6651b491fce7a566aaad

SHA1
09bba09ad8520cbc2455b5f3a82cf5b96efbd2f3

SHA256
7ac2ea63cfcada79e0159416a63de62a27ead514bdc1b084b241353636692539

SHA512
c89ae9dd31671ed849fabea01c2506b50abf7a350eb29566d19ac62f15345c1aa650ff59c8ee2eebf966ea6462cfe358f4bb257c030d2d43ebfb8c5ef5d9bf53

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
64KB

MD5
fce3a0f709b62dd759fd73e18d740bff

SHA1
abc97c5cfd74b6c7132e9728ee7c04180cf5fa99

SHA256
b44a5b1ce0c29f759b1b73d66d054040413dc63e20168400daf4017c2bcc9d23

SHA512
9584c970a65a3ac9f053e90901ed24e300503a7149684aad815fc969f9bb282eccf984d7c8b44f28600ea33f9bf09d89fc9bb34ddcedd31538d74b28d2d07092

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
64KB

MD5
fe8bccbd48c41f3fd3a816eb93233d43

SHA1
b94ed36e9a3cd8a83e826e04638ea99ea3e3d53c

SHA256
dfa8ad3e19c8c16c1e1d090dc648a916071a8f5410cb71a282289e13194a1748

SHA512
3ef20cba9049addade37e6739413d55fb82595eb5415aa1a1160f8e409dbad507c31eb4064f019f5be4bfaee79968a04a1e638f6492f7bb92c6ac671ec64204f

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
64KB

MD5
da8ad536f4a1886473f902e5b07fc10b

SHA1
dbcc05a810d8e68bc448f04b1310f10f79965b93

SHA256
9fd60adb494558418d5c24e2d2b2c603ee5f1a9068adc462f31f37ffb849aa14

SHA512
b6d4e2d99003b08e0b3b949bea7d0aa6aac530389f20572d19f46413402a86d4ee4bfa2310d31bc70d544ffce748211419358ff12b6333ed82a35802b605221f

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
64KB

MD5
298d03d4b0f926b28d94b08c8ba7b568

SHA1
31f4b15dbca49ef74fbdc0e8346bdc31e67e8a36

SHA256
6ef4a74a0f8fbf4166fe475b11993065c345b2c9c8e84c56a347c29fa031599d

SHA512
ae81296aa2984fa3e2ab259d3afa5270e5e28e0ff8282489819880361d1b57eb463eafbae76a91ec8b3725fe2c500c756e15716731d9f9f9d42438c255c5b0c0

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
64KB

MD5
c9f7737f8bb9b059286b4ce56604f7c8

SHA1
12973732d55ed0971aaafae51ef82750a5fca790

SHA256
f036c39f61a6a2777d8b4a3f733e3028504bd7bc50f2cf3fc4a1abeba6eb83dc

SHA512
672fd81f3d791dbd889d54212d2720e62019aec6206bc173d12cfe6abc1e8955fc662bec9aefc31c0ad7c89e283d052a903b45b15224dc47c9355af0fcf2679b

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
64KB

MD5
7808fee7c02305095a51166a00d9e946

SHA1
ada55444f3ec56948e6e9a522a3d39ba5647e1bc

SHA256
d18aeb7e92d3db35467b6e77b58b0705245ced6f3f4c3144fe625505072c6ee6

SHA512
61e3f9688dcbab2a828360a7c54870bec8c136c170b3bd22641002015fd3f9a31305b573a9c294ec2a2a5d4500a958d859b569461758be690afecfac1c992279

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
64KB

MD5
5b31a15fe03a85528801d033ebbf13af

SHA1
8467f7e8f3c9e21615f0faef043cbcbcebe52ae9

SHA256
133a5fd3d9f0896cc2316e399f89661869938c7a662daac7b9e6f83b8f15f3b5

SHA512
d789cb5e14a972484639132450c6a23f063faeacedfd34ccb489705a38404d81e79fa6fba96dc8661d76bdae1e330abded586af180a63d3ac9b978677a043826

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
64KB

MD5
c181d375087d6ba37c117b6e90a1ea5f

SHA1
ebf16307fe1276d08e6806c483f76deb8e1e9d86

SHA256
57d2205fd861558cede8f6b0d8112e1d0ba7e3e754d1273c649166dc5c7f6067

SHA512
2f06c21bf2a3f7d561fc42a429dd9a23a141c682c1c2da87d5088f1c8fffc3917f725a4d1fbdd92a7ad499610c04cbf445e683e0ad12fce2ecb2f3b20807e18f

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
64KB

MD5
c95de6354b25688608402935e9407d2c

SHA1
e5c32b767411259fdf6764eaa88fb5111c14a839

SHA256
574a32d84c860bd6ccf6a238bd7c6456da12ec771b81855af89e498dfa5c848c

SHA512
e48fd7637ecb4ea81c27e95dca19c4d93fcb496fdabd6ca54e8dc61124a1bbaff5d6c9219bc30f080f1c709ac289b0f3bc20ca3e6e94ca5222cdd5699ac3955a

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
64KB

MD5
dcd48831004a101ddd48d5eba6f9e791

SHA1
54527057ba4ce876c80b3b15ac51e09e7d4efcc3

SHA256
25aa926a35820dda3d16331ce9c7e8997349f82a357ff7ec631b771836128215

SHA512
000857cb918e252bf156329f1b83cd4e7f0974374fc6620a73081f33be2be6815de3b7f05e02096553033172809044a250e6afdd0f9dd5678fee8c939f4c1e36

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
64KB

MD5
476a1a6bbce3df77f50a268385d53c24

SHA1
8bb1fe89c375e2a738aef5ac661ffff7ca0a62b2

SHA256
fd5b3192c1863a47550748c27fc45f9680ea647dd13fa4c76885253380164901

SHA512
f348b15b983035925909ce81a223620bc0db40702d4b1a94fd5cb174ed45a5a30aeb629e84df225cbf3cbcfcdeccf2598136519cb8eefb9121381da504fa364a

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
64KB

MD5
d0331208bb989e6b9a39f8bbf21b68e8

SHA1
2149db9dade38217355057251edff455cef83def

SHA256
0d3c08d248fa059b1b1347da8de16a7a0293580015dcafb9391f06cba526713e

SHA512
4f3fbaa9d246a4617847aa881023cc67eb6782dacad41bc00d78980c8b6dc046934164e1e8d8ca7b12f408f31fc1d12a6a86cbd663231ffd2a2013135bc16210

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
64KB

MD5
6b21fccd002f3b00f64a123941611131

SHA1
ee4527f5c5c971877e7bf6d67ba93f04b86f2c56

SHA256
d433e1e56a254e8412e0309dad05b843d3db62c52dec56fff14688c80b083891

SHA512
78b6c689c62029bf0eb120e07a1ea1f6e7cbc23b4ca24b011468aff4d0b3eb3929bb784fefa478bd05bcfba88ff3045e32cf2fd38430bdeb5d98defd43b0b880

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
64KB

MD5
9e0ff936564ffdd68ae8fd470bc542df

SHA1
1a1bcb6a573870e64b8c14651fe9fa3469b9d52d

SHA256
fc31347e7835a098bbf64b4969abe15c2c2d5bc5191b89e79c248eedbe9650ad

SHA512
c3b87ae44584e20098cdef3cf36d2177294c2b9c1f1251194c5a2bd8218c2b85620994410e01b31395ef62490ebda192ae34ebd231796721a81cfc1131fa7e36

Download Submit
memory/216-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/492-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/520-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3200-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3796-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5164-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads