8d816cd403b25585b38a7fb4ac9f7b1b97a77747d2802a434c8975d8bbbe366a

Analysis

max time kernel
132s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0acb8ac8cbad948bf1b79afbdd6d2680_NeikiAnalytics.exe
Size

219KB
MD5

0acb8ac8cbad948bf1b79afbdd6d2680
SHA1

33f5a5d23ab3421b11dab30557a2146a531b1fba
SHA256

8d816cd403b25585b38a7fb4ac9f7b1b97a77747d2802a434c8975d8bbbe366a
SHA512

b17346dcef25b21066a8c3fd3b09f9dde84e8472744c1571fa2ebbf463997e04290653a0751c82bda1ba959e2f10043d037de89ce6c0f0bb4251e5c254d13dcd
SSDEEP

3072:ATBqPuLzxb3+0PzwuZkO0aDb/IBPCOQvU6z314EXrjvwSfYrwBt:ATBqKxbOqzDOO0aDD4PCxdXXwSfYrwB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe

Executes dropped EXE 64 IoCs

pid	Process
624	Fopldmcl.exe
8	Fbnhphbp.exe
5036	Fmclmabe.exe
4844	Fobiilai.exe
4044	Fbqefhpm.exe
2340	Fijmbb32.exe
1808	Fodeolof.exe
3772	Gfnnlffc.exe
1180	Gimjhafg.exe
4176	Gogbdl32.exe
3976	Gbenqg32.exe
3336	Giofnacd.exe
3732	Goiojk32.exe
4696	Gbgkfg32.exe
2816	Gjocgdkg.exe
2992	Gmmocpjk.exe
996	Gpklpkio.exe
3192	Gbjhlfhb.exe
4268	Gmoliohh.exe
4584	Gpnhekgl.exe
4412	Gbldaffp.exe
2232	Gjclbc32.exe
2528	Gmaioo32.exe
4548	Hboagf32.exe
4504	Hpbaqj32.exe
2840	Hbanme32.exe
4180	Hjhfnccl.exe
1252	Hcqjfh32.exe
2128	Hjjbcbqj.exe
4360	Hadkpm32.exe
2940	Hbeghene.exe
3768	Hippdo32.exe
4120	Hcedaheh.exe
3012	Hibljoco.exe
3452	Haidklda.exe
388	Icgqggce.exe
4136	Ibjqcd32.exe
5016	Ijaida32.exe
4100	Impepm32.exe
4472	Iakaql32.exe
2684	Icjmmg32.exe
4596	Ifhiib32.exe
3608	Ijdeiaio.exe
1292	Imbaemhc.exe
2800	Ipqnahgf.exe
3756	Ibojncfj.exe
1416	Ijfboafl.exe
4988	Imdnklfp.exe
2956	Iapjlk32.exe
1400	Ibagcc32.exe
4396	Ifmcdblq.exe
1412	Imgkql32.exe
448	Iabgaklg.exe
4076	Idacmfkj.exe
4440	Ifopiajn.exe
4612	Iinlemia.exe
884	Jaedgjjd.exe
3960	Jdcpcf32.exe
3576	Jfaloa32.exe
808	Jiphkm32.exe
2252	Jpjqhgol.exe
2368	Jbhmdbnp.exe
1976	Jjpeepnb.exe
4848	Jibeql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6624	6504	WerFault.exe	236

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 624	368	0acb8ac8cbad948bf1b79afbdd6d2680_NeikiAnalytics.exe	83
PID 368 wrote to memory of 624	368	0acb8ac8cbad948bf1b79afbdd6d2680_NeikiAnalytics.exe	83
PID 368 wrote to memory of 624	368	0acb8ac8cbad948bf1b79afbdd6d2680_NeikiAnalytics.exe	83
PID 624 wrote to memory of 8	624	Fopldmcl.exe	84
PID 624 wrote to memory of 8	624	Fopldmcl.exe	84
PID 624 wrote to memory of 8	624	Fopldmcl.exe	84
PID 8 wrote to memory of 5036	8	Fbnhphbp.exe	85
PID 8 wrote to memory of 5036	8	Fbnhphbp.exe	85
PID 8 wrote to memory of 5036	8	Fbnhphbp.exe	85
PID 5036 wrote to memory of 4844	5036	Fmclmabe.exe	86
PID 5036 wrote to memory of 4844	5036	Fmclmabe.exe	86
PID 5036 wrote to memory of 4844	5036	Fmclmabe.exe	86
PID 4844 wrote to memory of 4044	4844	Fobiilai.exe	87
PID 4844 wrote to memory of 4044	4844	Fobiilai.exe	87
PID 4844 wrote to memory of 4044	4844	Fobiilai.exe	87
PID 4044 wrote to memory of 2340	4044	Fbqefhpm.exe	88
PID 4044 wrote to memory of 2340	4044	Fbqefhpm.exe	88
PID 4044 wrote to memory of 2340	4044	Fbqefhpm.exe	88
PID 2340 wrote to memory of 1808	2340	Fijmbb32.exe	89
PID 2340 wrote to memory of 1808	2340	Fijmbb32.exe	89
PID 2340 wrote to memory of 1808	2340	Fijmbb32.exe	89
PID 1808 wrote to memory of 3772	1808	Fodeolof.exe	90
PID 1808 wrote to memory of 3772	1808	Fodeolof.exe	90
PID 1808 wrote to memory of 3772	1808	Fodeolof.exe	90
PID 3772 wrote to memory of 1180	3772	Gfnnlffc.exe	91
PID 3772 wrote to memory of 1180	3772	Gfnnlffc.exe	91
PID 3772 wrote to memory of 1180	3772	Gfnnlffc.exe	91
PID 1180 wrote to memory of 4176	1180	Gimjhafg.exe	92
PID 1180 wrote to memory of 4176	1180	Gimjhafg.exe	92
PID 1180 wrote to memory of 4176	1180	Gimjhafg.exe	92
PID 4176 wrote to memory of 3976	4176	Gogbdl32.exe	93
PID 4176 wrote to memory of 3976	4176	Gogbdl32.exe	93
PID 4176 wrote to memory of 3976	4176	Gogbdl32.exe	93
PID 3976 wrote to memory of 3336	3976	Gbenqg32.exe	94
PID 3976 wrote to memory of 3336	3976	Gbenqg32.exe	94
PID 3976 wrote to memory of 3336	3976	Gbenqg32.exe	94
PID 3336 wrote to memory of 3732	3336	Giofnacd.exe	95
PID 3336 wrote to memory of 3732	3336	Giofnacd.exe	95
PID 3336 wrote to memory of 3732	3336	Giofnacd.exe	95
PID 3732 wrote to memory of 4696	3732	Goiojk32.exe	96
PID 3732 wrote to memory of 4696	3732	Goiojk32.exe	96
PID 3732 wrote to memory of 4696	3732	Goiojk32.exe	96
PID 4696 wrote to memory of 2816	4696	Gbgkfg32.exe	97
PID 4696 wrote to memory of 2816	4696	Gbgkfg32.exe	97
PID 4696 wrote to memory of 2816	4696	Gbgkfg32.exe	97
PID 2816 wrote to memory of 2992	2816	Gjocgdkg.exe	98
PID 2816 wrote to memory of 2992	2816	Gjocgdkg.exe	98
PID 2816 wrote to memory of 2992	2816	Gjocgdkg.exe	98
PID 2992 wrote to memory of 996	2992	Gmmocpjk.exe	99
PID 2992 wrote to memory of 996	2992	Gmmocpjk.exe	99
PID 2992 wrote to memory of 996	2992	Gmmocpjk.exe	99
PID 996 wrote to memory of 3192	996	Gpklpkio.exe	100
PID 996 wrote to memory of 3192	996	Gpklpkio.exe	100
PID 996 wrote to memory of 3192	996	Gpklpkio.exe	100
PID 3192 wrote to memory of 4268	3192	Gbjhlfhb.exe	101
PID 3192 wrote to memory of 4268	3192	Gbjhlfhb.exe	101
PID 3192 wrote to memory of 4268	3192	Gbjhlfhb.exe	101
PID 4268 wrote to memory of 4584	4268	Gmoliohh.exe	102
PID 4268 wrote to memory of 4584	4268	Gmoliohh.exe	102
PID 4268 wrote to memory of 4584	4268	Gmoliohh.exe	102
PID 4584 wrote to memory of 4412	4584	Gpnhekgl.exe	103
PID 4584 wrote to memory of 4412	4584	Gpnhekgl.exe	103
PID 4584 wrote to memory of 4412	4584	Gpnhekgl.exe	103
PID 4412 wrote to memory of 2232	4412	Gbldaffp.exe	104

C:\Users\Admin\AppData\Local\Temp\0acb8ac8cbad948bf1b79afbdd6d2680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0acb8ac8cbad948bf1b79afbdd6d2680_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\Fopldmcl.exe
  C:\Windows\system32\Fopldmcl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\Fbnhphbp.exe
    C:\Windows\system32\Fbnhphbp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\Fmclmabe.exe
      C:\Windows\system32\Fmclmabe.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        25⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        26⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        34⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        40⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        45⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        49⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        55⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        56⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        59⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        60⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        61⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2844
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3688
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        69⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        70⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        72⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        74⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        75⤵
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        76⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        77⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        78⤵
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        79⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3120
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        83⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        84⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        86⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        88⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        90⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        93⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        94⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        97⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        104⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        108⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        109⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        110⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        112⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        117⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        120⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        121⤵
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        122⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        123⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        125⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        132⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:992
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        135⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        136⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        137⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        138⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        140⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        141⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        144⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        146⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 408
        150⤵
        Program crash
        
        PID:6624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6504 -ip 6504
1⤵
PID:6568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
219KB

MD5
8bf1b718f11f4c3cfd8eb3d36ac71819

SHA1
b140171e405db9b9848a4bc1b48c4bfaf2b43822

SHA256
4007e59b7268241d3b6944b8164f941e73f9e7ecbc96ee81cfdc9ecdb2de7416

SHA512
449d2231a15b2cceb39aa4e919f319d155ae19d8248db7e739cdbde4f7e21882e77f1941b6b1a6d788a9c2a54171b6137163ab5efd3d7a180ca37181880913bf

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
219KB

MD5
1a15fb9d504301a1d2bedc10ac303650

SHA1
4f8a5c101dd36624a06454925130dc5098afd747

SHA256
29070c1fa42b954ae8984ccd21e7710f3b3339717ad39bbb448495dceed06c10

SHA512
a4032d27c3a961387421aedf2b5e407bf44a9dbb10c76e1149858b92d6d8084c429b6916d67b8323e641fe057766198adb6912db070bb30071cffe5beec93dcc

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
219KB

MD5
29c2a38545ea599ec7dc2361779ed898

SHA1
090b46a9a1d1f9dc44ff64707d86865646ebe96a

SHA256
7559fc9f18183520c0a171526f89a4ec80a1d8b0b472e49af2eaa3f1be9627b4

SHA512
07a6666e16e849bba657be05d2661beeb3d5fc2f95f65d8d6f9cb31963e2f7c7790a18ec1030c383bf72c47c09d7bf43175da8bf00c71c22a36a4bb4f2295210

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
219KB

MD5
e8fb11f716cca919b85f7f6d4684972b

SHA1
9b9390ffa093af724fc8533db16b68ba02ab9a9f

SHA256
7ed36bbc001ac19f729846c493b94ac91378c05e62c6d65e53408e0e0a1a25f7

SHA512
41a6acd52f951b460e529ab8767172ddfe77a6245af0898635062f73c88e5c49033bca68de11ee8fcba147261d4f866485d1a27424066862ca6dbb6172666f67

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
219KB

MD5
95a94e0800aa0480daa4c43e5ad6ac83

SHA1
681ca152dfdaf89332c1895cdf7dd9214e133693

SHA256
06e795c94c692de77eb4761fdedc103575b4217e505b7930a6b7a4e6b068a484

SHA512
2f6962daa97c905d5ffdc391e2861ed4f179e0f4b74d4071536c4f47293aaaf0ac94986e5d7936eceb8b79b2517ceec3730b6df54b9eddc102017549a8dcc0bc

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
219KB

MD5
8a141671c8cb3270f6a4a739becbae48

SHA1
82270e5c2230025ca30189793086f44718d6c13f

SHA256
66b953f3036e14d5989fb6dc94a9a825ccdd9dc37cae4a3475bc0804f70f08e3

SHA512
2d54fd588e7a37cbc9fd3dc004b676e41c177c4bde873e5222878acbe35ef8b30e139adfcd36021791eb0cd6edea0e0593d54a426eb2a412b33931af1fb40dd3

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
219KB

MD5
d0970fcec5d70bfa2ff6f87cc6d905ac

SHA1
89430702865f78f77924b9990a4e2c14e1365313

SHA256
eb1c70903a83c4cefb953f2fd4cbf2b655e93a0693dce6d817b9cd27836473f7

SHA512
b2b7106e7df20dc294378e74ef72fba363d05087a3c8e61064cc43e3891be1efe3ffe40c902d9dc7055e997356fe8e4f3f0d0bdbef32228126bbaf9604a18285

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
219KB

MD5
292c9a9451aa4300b63a10d7a48c102d

SHA1
2f5741f5c59031c3e5b87496bdd184ac8d51e7ef

SHA256
b87f5f208c97353ac50bb1cbcd8f4fa71e3535de92c799ba56e0a337dcf5f034

SHA512
e61a1bbdc816d1eb8b7e27130281989247ec4f58f6235d4d487308bbdd33873316556cd069219392dc45771b307abea8c2c9c5521db9992905a296c133692414

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
219KB

MD5
ac386180afeb234219d302cce9fc091b

SHA1
a534429d27ebd30720e4f1681f9f56f98c78093d

SHA256
4a357aef0b6586f4505ede3100f093f66bdaf004a146bf48757767588d48ec9b

SHA512
f9146031a89ea43ebb9f4f1ec2748c6db7eb9e39a0f010836a8b68f867e977de4b1375d27a48449ba604a319270c05057f9b7ebc8632c7c4ac80c575846bdf39

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
219KB

MD5
a52d8f7c598d924f4c05d5b71ce777bd

SHA1
a312be1bcef63d7576f9b19087736ef26cfefe25

SHA256
4a60f28ecf5eef0647c2200b33f7ca4ba3f1b4275d6bedf560e97c32eb87c3a3

SHA512
ba29b2d720aa51c642125badb493ee13ff4d6ffda9bb078452625633a957ac987137e7bc59d1d6dc693b68c241a809f7d1b68870cd0ae016a4974e75650c6da1

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
219KB

MD5
4b45a8f997eefad940a26af2378979da

SHA1
c1e8e1bbc4e2ee4c0a427ab0f4f9e4c90d97f85c

SHA256
5974bdfcd78c4b2c3cf8177de148dcb3f971344f6dbe01b13ce8d9ad1f3460f3

SHA512
29dffe2481dd410ae1ab67b79e609c71cf8dd7f56dbbc927cf027229de0e1f43bc8c04d4d8f05e03afa9c279bc65ece91e129e4c614a07d0d8246e6c3679b67b

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
219KB

MD5
8d7d8df3ef6fcc0c01294eed1c902b8b

SHA1
79c99070b11098fbaf8b14a504b5e2b6a6c61988

SHA256
379c1192e6c25d9ef343781471272b106bda7dbba3bc217792409e88d88a840c

SHA512
490bea6da99c8fe994adbb5f234100dc697c879d84624cab1542fa54518e3ef48639e9246b0dadabcf40517bd8c748e5c12e8b563c16462a724c5c2ddcbdfd70

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
219KB

MD5
b4c8ca079ebcd61a3874603be4b96d45

SHA1
07eb1b2b95d4a0472d4fce8b989f81aeb4f433ae

SHA256
4f266fc857f724e283b1e18f580899a44f003587f4b860cdd2ba116566e54872

SHA512
265f99bd6ce20537ffd00723d82f5526ae0620c159c0d36b3ac318a187962a8360494e8f5a45236554ac800ca60a3c72a61b930b72e71ab05ff95e044b178d36

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
219KB

MD5
81ee88d912eeeb970cf2823e7534c42f

SHA1
60670f5c161aa0845b6057f662dd00089a511092

SHA256
d57d457211e5ce84c013b9b14b433a3554d234e49a8a86a2931dc37c300db53a

SHA512
346557b8fd2ad0a8fcfe11671408b8220817479609f2413437d7426e1961d3674b5856c8a664570f1f747ada08ffc0c97241e17f61f0a2314a5c7e2e85efc461

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
219KB

MD5
6af71ef559232b1b5d2f020438d96da5

SHA1
17a78515dbd7b8f2a3462273d29bd28fb109e326

SHA256
6f027e0f75144b850b569922a771943ac11f50e59caaf594c8cb91f3c7a9617e

SHA512
d02c7e6420acfffea42e6163ac7509e8f0eb24ca8efb7bea1de532b6805ec488ca9975b915ce8cc4b48808ffaccbcd72d18c26f46cf09c39b755001aabcd5f27

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
219KB

MD5
495de48f9a08403921a5941035a6a078

SHA1
99697db60bf1569fa0e3beb3ecc5291a060f47a7

SHA256
959a5235df48598a5e5f00b75bf2e97f5b81e0c62cbd6428b9b626add02b84ed

SHA512
54dc4c4b541f19eac7dd442327c45cb808e94f4ba2379c886749d4847c880d60baa8e177e1ec63763aed08448ea8ddd570427a5df2cd1990331358e6a17f1ea8

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
219KB

MD5
8fe870816d0797ff979f0ab025ea3fcb

SHA1
af4e41acd141ccd8ad42422bb83dc581ac03e8bd

SHA256
682abfc82d4e23c65049d6996f17e320ee2c3f92f194e25beade42d68e57e1d0

SHA512
019b046789c1b44639fdb9daf91794919758461579a94adaf65b6d51ec2458472f15ba9867552df20c5d740a209a9b9adf7afef71579781f82aa808ede9e2c14

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
219KB

MD5
aeada392474b66bd1adf4e1a441d3329

SHA1
eb0988e3fa87640360b0a314e32294b7123a6e1f

SHA256
de18e314a376885888d16e3aafe90ecea8a489ee46c65829f3635378dd3ea191

SHA512
39ea7db4cffa49e2d6e3f09fdd7765ee1d01110ce859c10f1758deb73999edecc884d7229c9d2e34cda89f2758709cbd334b1353678b993335bf9f12af5b251d

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
219KB

MD5
d97f54c05155f7d237a468746cf2b3cf

SHA1
487c2fd212ef3e1629ee7a45785b46b7f641e93b

SHA256
612ab1f886e904bbcb56b36280a5153311ea3c51e4f22051636028e1ebc5fdf9

SHA512
242e53627dc6b9cf906500e45f4561e702bb801001c3fbbacf805dca666c138fe6542c7b84cc33b455a956f18c83fc121e73d54bef78757a1c446eb811549c72

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
219KB

MD5
8c3720beb39ed626bbb7f92263564228

SHA1
b1085ec21aa013d735bb79ea4b11a07e086fc3b3

SHA256
104b755cc725e1f8c28217cd70242cedbb017588d8ba0bc7e5c6d700d9f4bfad

SHA512
58b434f9b97e7f0177f16f8c1537490de7641865c9bad58664db61947d5c54be47a5b22d5e3a1530c5318a4af168e259e363d274b394aef3c1c0747dd7f4cf6c

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
219KB

MD5
371f26e055598ab54414b73e692221b9

SHA1
002ea8cb6b780c8ee744b580f96b2ef51894a7cf

SHA256
1ecfc174e2a0fb1a2aaa6c80ac4ca27c33b4e5e61be06c317e1c66de71695873

SHA512
00b1ea5d1e8490afed20c27d386e4124d0ea469f53d746210e57538ac2fb850f128846071503e4dc8d1c70dd1d78610970c903cf4c09eb439c5df501a9e7a3b6

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
219KB

MD5
8e3b9cb7e117a89370aeedf829e249a3

SHA1
b993f10f41ff3958ebba26abf91a2c79dd815792

SHA256
1848aea9513eeffe8be7e30d6f52fac1130dd35843d4c42441e00703a16ee49f

SHA512
9f974ba08836c9abbbd0015ceea75750c00110c6d86e5d0f027092d0bc34788450c2576e708f91918be742201fb63859ca776de15be5bb1bc9859fe743cf3839

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
219KB

MD5
5c0ef1cfbc8fa6a9fa995b24c3178193

SHA1
0f2234079a017f7b737a294de696360a4505501f

SHA256
8df8f08612504fb8c9afb414ad151e04cfcc63e324146157ffa45331f4da0b11

SHA512
39e4fbf650179c4d4ff7e2ecc1b36a042d5398ecc95658f13874d6c14b810eecb64d750646e516021c9f7dc92b107f327ab7b843d13f421fb989f60fbf8515c8

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
219KB

MD5
e1379b13a114503a813cf612a3d33a4b

SHA1
1daab643b4faf125fd7d6152852d46928958da45

SHA256
d986a73697944dcbdcc2f05139f1f0592d98f9d5ab53c1965a8a965d8c2f83f3

SHA512
1c24df59ed8726dd3b726dc24ce8a3b329152a4cddb08b082ceef35607c8686c0f254ea92dbfb863f96c8c1fc6fdddedc916c1b858a31b6f318dda47c74866fb

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
219KB

MD5
53548f7d22ad0df71bd1ea0472a8da54

SHA1
ead83bde84769b123b72412da18a3d6cbce7d57b

SHA256
0bd0ba315538d1137665448b0e8b3b50510f8d4ba45817393c8005abca890475

SHA512
90d578dacb464096ca26ff54e5f26eba2890e8a8dccabb9558075b2cc3818cec21fec10d3bb079bb6a588d6da73ec912b0935d5b1642c92b421757933fa71989

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
219KB

MD5
bab730c4b34111730107d4d1f8021666

SHA1
31101efdcdb7d4e23d01ce3c5272c575bb3c7bbd

SHA256
42f1270ac51e720bb5bf02bdae657bd6821c99ed652c05a4b63e487ce97a6e59

SHA512
8aded76e86676dec94fb0ca4b0e66d994660bed0e7ed64a878d86bde8cfcb65f3d779765e547ecd6c4640234fba8095a315ae1dc1ba358c7450d6fb4e7641c37

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
219KB

MD5
8911f0914e8838949af3f3195ba832ad

SHA1
062389d674bf2e052f91068ad1c1ebb9882bb8e5

SHA256
3925e2d3577c544692d2ddeeae0df2977bc6fef15cd6d45b6caca25a0694dc92

SHA512
5a73c3d41713bb3d5817d10d3ea60a4487a861783cee0c81e7ab9148d6bb3434e19ca71aaac3eb81fd12063b506a6933d754191c1da6ea0427f84a3e1d9bf46c

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
219KB

MD5
b51b45ce57fc9eca4a8b8b826131cb69

SHA1
3e8d1cbb36d0dff205de1fcda0901315209cb3ec

SHA256
0e11d9a9d578fce1807dfe70eb954af6de804d353fe2dd1a51d84240dda6119f

SHA512
69dcc9b6cffde7f50d8e737eb272d06166fd77401e8fdb5df403f45fefee7d2a56cd60cb6a41afa7d838cc3a626130edfefb830d5e5358e0b28f5ebeb216bc7b

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
219KB

MD5
9f1582e2911fe654a36b19b5624f7a8c

SHA1
eab7005204d350fdf823aff8ef1af8e762c1c902

SHA256
d39808aa540a28c5ab75511734d9cf2332e5576777b64ed1f131c8fd67b2728e

SHA512
8d30b8b708f96d268cd489e750b92c2949f6523184ac4eba9959c4ac76746dbe07ecb5a74f72d2439f1030376b5850c77e4997d6e4945a4e606c41d651e3ea34

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
219KB

MD5
401179ea58b95c75c2c441d533e6aee7

SHA1
7ee7f394b9872a7b7f29259af6f86dee25327338

SHA256
b8ec9f854bf45b3820b5d9cefcf2ca4b6ecf8ada34359b8172ebeaba374e55bb

SHA512
b2523a464b17d5f49c15312d363dfc610c7aba5a15c32266dd45273c9bbc90728606df14a6c5ba14f982ea8f25a1ee01df557033f6c8c838efc69763b101cf65

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
219KB

MD5
ef30175015a43aa270fb572d248a498c

SHA1
cf7b9a63d79e73f34c73f9ce3e53b5f318f4e648

SHA256
194ec938f461d2c5cff0e9a6a9c09a39bfe1b5414ec2fa629b34b7eb547d34dd

SHA512
3c224e73df7abadbd3000b9f4434b2fe0a5c4413cd1cfd0eb5c44449b165bc3bbda268c0f4c5163850b40c350dbab3c47366d5d20d2dc892dac384647a1909b3

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
219KB

MD5
9e12a5454df01a650d4fd7bc22c8c991

SHA1
fbcc46edb2592f8f6d314643d1e7ec5da90e4702

SHA256
e730d1c6350db95d32db730fa4dd770b418eb21852caa6194cf7dc0e01540fc2

SHA512
1d13215900ccaf51b058b1460c23cc0c563e5cc8cdc5d77970e290b8aa182e0ace19fcaa59422a4542254ae126c40a16e8a433ed496e101d567e4887a5c93b3b

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
219KB

MD5
c4b94876cf33b70d16f4cb64306c9214

SHA1
5b865837c1e2b1ddbce525b756c61c9eea5f8db9

SHA256
86453aaa5c9012f585742ffc59bd159414e73000bb8abafdf1515a7eedef8b6b

SHA512
f57b162528a83769a9a325358af26f6ca47670fd57c09e2fc6153b69f61cb3fc5f04540e715de6cde8b8d7ced0b0fe5cab1edce0b0206a026b5a2922adec7e59

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
192KB

MD5
f2fd41b013cfc8355957690f1fc53e96

SHA1
58a3636e26a6abae7b9c0739c5f64b7c96db46f7

SHA256
4972755310d8cd9f03875e9766883ea3356051c2ac1518f56a0396031f69a930

SHA512
b83ecfe966676a910b6f31abff9baf61b31666dcdea158ba71d7fd96a014e8ce7ad3e67c653285e57b1f63fc36683921706c1286d6440bc773ef1d3d3faf8dca

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
219KB

MD5
76e9944129f03d699374c1dde27c0a34

SHA1
2202a9b45fcc023b3bbf0f5707f32bc936904d08

SHA256
f35d8a056a6495c7cb54307790e7bf8f66d90874387998e64322b5e101b3d459

SHA512
db0ba395abcb84aeab8273038b0bb326815efe9697c118408ebe21cce18a59ac0fa10db4677188f91886ec545d41e3acdc0b688968376fc7dea74530172b6175

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
219KB

MD5
b6c85dacec8358e1589c4704401d6f5c

SHA1
d58000dae0f11348c6559e2ace4784f33c7d8abf

SHA256
ccd37de762827fbfbed37e742d4299a31609bba93cc63ef8774a1660c69adfa1

SHA512
e690df1cb94af6051a8081e9ad879536dedf8e49337f899741858bf1f93060b2cefd42b5553e2d100644f8611cc0db7372cb3dfb5c89c02f86be0c860ad091dd

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
219KB

MD5
b5442ce145a278c73d4ba640d7da966b

SHA1
a88bec5bc5018f84c9536cb3f1e27146b1883845

SHA256
3f639ae868b2a81c2398809b75a503682cd2f6221fe329186b50a435e8c9034f

SHA512
fd94924c25a50cc3b7eef6f68df083778e1009fa063e279cde5f31f8810452f772ae4b76ef349d0fcc4d2fa439dd2ee91b6e54f653ed0466e7d8f9abe9e1f6e3

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
219KB

MD5
163503ed951add77268c240ded33a006

SHA1
43b2c0d8403dc91b706d74ea2053a9d3d3f23f3e

SHA256
6c0443606eb9796e5e15726801f027a3c5447103519a68d6b7bb3f971c74addb

SHA512
51e7b1ca59307cf4fdf0c8989053a4a0a398323a69ff45e04283c5ad56f244580005afe7bb0d44729a0bbd47c8cc4242bea02f93ec9c66a53a4b3486702c4ca5

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
219KB

MD5
8a825d120742acd49e2ea9a120d80409

SHA1
c6f35e7e83a8c3a2575d241fd29bd345fd7b3c38

SHA256
8a2b0e17bacc85e0622394424c401a3e928ab1cba3a37a95c3c585a34ba87774

SHA512
6c677c691b6b0e42749ac55d1dfd5704f2f0f9ee9802a4ce47aaa8ed0e34e2872eac5a6f83eb7ab465e284b041f038d61129c6de8fb96f5141acce6fa8fd5952

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
219KB

MD5
1d2d48c176437629fd8f06d63a2e425a

SHA1
5605e64f93d4e1fd9714e0b846737ff3a90bd7e6

SHA256
5138b3ab4d1a5043f2dc3b815ea4f3e1be4ca6035020afaa5feac7cd2af5f7ea

SHA512
eb2a82a47b9c36680af48ce4334bccb2f7583f3416522dba19448edd111e4951e4e6ad85f2a981ca6f2b39558b9bc8dd8a88a3a8de9b5c8cea0c50023b7fdb7e

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
219KB

MD5
d00d15b18025d874fdfaebb3bc0dc8af

SHA1
1ca133538eaf39dc2b6639821c28b3ea74b930dd

SHA256
2fe533e8fb560683cb23b573441aa800b633b5a03cab0fa1801b874bdaed4f42

SHA512
e41d24b2c046021a3eb26800bb95416d5c86efb520eedee666ff8eb171f83f9c1c2956023abeed38336198a8b529c3701e6b0a0d9f7f49598793a694865dff14

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
219KB

MD5
2afc1ceb18ed55e960a67dcbab980c0c

SHA1
3c34db183a389aa8f5fa4528533f699f16e836d2

SHA256
4ccd73f0205987298e04cf7121579800da6439df7abdaa2724abf886c25ab79d

SHA512
f80cd8a31aa3f7a9223b97cf7ff89a44cc0c0e0e3b617dd25c314c46e2d0db18d41b3c0eee567a66381d95947c8f65519df9dc10e3e436ae86080b75feae6817

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
219KB

MD5
7f523d4496e66542a034edcd92de0b2e

SHA1
c8e26532ce04983d885fdc3196c8125facdf1e42

SHA256
c1271620786fd407a80987b25ec7a1de98d7b27f5b47ce5b8e960483634d4228

SHA512
cc562608165b073cb0c9820ceff0767840ec037fd328c071002fcf50090a8fde31e0d93158e6c30e88ad997ef7fca546b989d8509deb8369624adaab4fd20603

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
219KB

MD5
6ab0f96fc76b9079ca783c8012a8eceb

SHA1
917748e76b439e8476f42543068d8edf237019ed

SHA256
3d73bac77859d796f5f50ca34af350d650a3ddc2991de39048eadb46ae18d351

SHA512
2db45d09a7cc074f66ec6dc8e551f019114a1978e85386a6817c183b7cc8468888c7fcdbb6545ee1e4610cb60e41bc389ea69052ed45110721d4c253f1cbfca1

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
219KB

MD5
ca4ed1f458c9d4912df509633de981de

SHA1
1c89ddc978ae572f590a0bf45fed883b0d2ce5e1

SHA256
2a7e0d643715783e1d06dab6869ed385b170bc18776fdb81f887b0c90ee7611f

SHA512
c641db4c7dcc41a6f2280c73f3228667f1351eb6ed150f566f18d97eb6faef74ee559e1358bdba120d6ca66faa45386f69e44c64c467659ef664c1f660395868

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
219KB

MD5
fc9978edd33facdfe86298ddb11bb737

SHA1
aceb627d08900b7979808c87024ba3d4646738ed

SHA256
be2871fda25fe3377a0342f38e3a5bba81c97ff51708a9dd06a678867f13e3a3

SHA512
d1fc083e921db7ceeec344cc553bc38f19bceda82a39d59ef05edd3e307d0bc3af553af5cda6e525b8e094b5e7752f18c588b26c21f45fa2d96891b48dbb9ddf

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
219KB

MD5
c50916c0f5e5ee9febf006fe68cd2975

SHA1
aa92855c887fc7d2afa1f339fd709711573d56c9

SHA256
8bb232c85c96691957f35c46b115afcfc277cec5cbaab256eb851d270691c66f

SHA512
ca9ca2b2d20337ea5dbb85441d7791d0c89f03b9ff9f1d29a74a56794e14053a188096490628a772def593c48c7d4cb6417e78abb90bbc6c6fddb2fee7d1240f

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
219KB

MD5
c938c1a804bed9d1398c4dcc6a6a8681

SHA1
8a35990f2f4a704d36ad15168505015527f3b472

SHA256
104eefa36e35df483dacb24bd265c0ccfed85bbcd27b84a56678cf8414e8f7ba

SHA512
9f1cab2290f5b384fb70d085eeec729c08924f84031a9b4d74e41de597c4369736d6e280aa113c9af11150823d303ed6ed3d6bf63fb9b15b7eeeb3c9e53c82ca

Download Submit
memory/8-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/368-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/368-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/808-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1544-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3356-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3584-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3756-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3864-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4100-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5144-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5312-1015-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5416-1040-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads