d387315176df86e281c8613df2aeae223b103c51791e287f91580a9600f02d20

Analysis

max time kernel
93s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

352991df7fcade06c3487b49126ee130_NeikiAnalytics.exe
Size

62KB
MD5

352991df7fcade06c3487b49126ee130
SHA1

7881aed88cc2c354707f0e2a824b3cee1d9ece9f
SHA256

d387315176df86e281c8613df2aeae223b103c51791e287f91580a9600f02d20
SHA512

32d3555f59c521b354c3a44828abbdbc6b0ae245d4b6628bfc45e1b2539fdf4bd5f0a6f02a2221f08b2ad7e3f9a17b9aa9a6e4ca29a4ffdac2cf3f6a06935b56
SSDEEP

1536:szUv2xaaDErTTvOIsZfPKHmourKWPGyv7ve8Cy:qUv2LDEXKpZ3KHmOWPGA7ve8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe

Executes dropped EXE 64 IoCs

pid	Process
1060	Ehlaaddj.exe
3968	Eofinnkf.exe
588	Ebeejijj.exe
2756	Ehonfc32.exe
2636	Emjjgbjp.exe
748	Ecdbdl32.exe
1416	Ffbnph32.exe
4408	Fhajlc32.exe
2144	Fqhbmqqg.exe
2936	Fbioei32.exe
4888	Ficgacna.exe
4688	Fcikolnh.exe
5032	Fifdgblo.exe
5052	Fqmlhpla.exe
1732	Ffjdqg32.exe
2480	Fihqmb32.exe
4468	Fobiilai.exe
880	Fbqefhpm.exe
4232	Fjhmgeao.exe
2220	Fodeolof.exe
1672	Gfnnlffc.exe
2968	Gqdbiofi.exe
1348	Gjlfbd32.exe
3304	Gqfooodg.exe
2420	Gcekkjcj.exe
2208	Gfcgge32.exe
3056	Gpklpkio.exe
3452	Gfedle32.exe
544	Gjapmdid.exe
4560	Gcidfi32.exe
3944	Gifmnpnl.exe
4380	Gppekj32.exe
4288	Hboagf32.exe
4608	Hapaemll.exe
2984	Hpbaqj32.exe
1184	Hfljmdjc.exe
1240	Habnjm32.exe
976	Hbckbepg.exe
3216	Hmioonpn.exe
2820	Hpgkkioa.exe
2764	Hjmoibog.exe
676	Haggelfd.exe
4156	Hfcpncdk.exe
1476	Hjolnb32.exe
2004	Ipldfi32.exe
3620	Ijaida32.exe
3592	Iidipnal.exe
2076	Icjmmg32.exe
5056	Ifhiib32.exe
1912	Iannfk32.exe
1112	Icljbg32.exe
1676	Iiibkn32.exe
2008	Ipckgh32.exe
2644	Ibagcc32.exe
4856	Iikopmkd.exe
2640	Ibccic32.exe
3656	Ijkljp32.exe
1480	Imihfl32.exe
1408	Jaedgjjd.exe
3368	Jbfpobpb.exe
4780	Jmkdlkph.exe
1712	Jjpeepnb.exe
4840	Jdhine32.exe
4588	Jidbflcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ebeejijj.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Eofinnkf.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gqfooodg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5532	5440	WerFault.exe	201

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1060	2816	352991df7fcade06c3487b49126ee130_NeikiAnalytics.exe	81
PID 2816 wrote to memory of 1060	2816	352991df7fcade06c3487b49126ee130_NeikiAnalytics.exe	81
PID 2816 wrote to memory of 1060	2816	352991df7fcade06c3487b49126ee130_NeikiAnalytics.exe	81
PID 1060 wrote to memory of 3968	1060	Ehlaaddj.exe	82
PID 1060 wrote to memory of 3968	1060	Ehlaaddj.exe	82
PID 1060 wrote to memory of 3968	1060	Ehlaaddj.exe	82
PID 3968 wrote to memory of 588	3968	Eofinnkf.exe	83
PID 3968 wrote to memory of 588	3968	Eofinnkf.exe	83
PID 3968 wrote to memory of 588	3968	Eofinnkf.exe	83
PID 588 wrote to memory of 2756	588	Ebeejijj.exe	84
PID 588 wrote to memory of 2756	588	Ebeejijj.exe	84
PID 588 wrote to memory of 2756	588	Ebeejijj.exe	84
PID 2756 wrote to memory of 2636	2756	Ehonfc32.exe	85
PID 2756 wrote to memory of 2636	2756	Ehonfc32.exe	85
PID 2756 wrote to memory of 2636	2756	Ehonfc32.exe	85
PID 2636 wrote to memory of 748	2636	Emjjgbjp.exe	86
PID 2636 wrote to memory of 748	2636	Emjjgbjp.exe	86
PID 2636 wrote to memory of 748	2636	Emjjgbjp.exe	86
PID 748 wrote to memory of 1416	748	Ecdbdl32.exe	87
PID 748 wrote to memory of 1416	748	Ecdbdl32.exe	87
PID 748 wrote to memory of 1416	748	Ecdbdl32.exe	87
PID 1416 wrote to memory of 4408	1416	Ffbnph32.exe	88
PID 1416 wrote to memory of 4408	1416	Ffbnph32.exe	88
PID 1416 wrote to memory of 4408	1416	Ffbnph32.exe	88
PID 4408 wrote to memory of 2144	4408	Fhajlc32.exe	89
PID 4408 wrote to memory of 2144	4408	Fhajlc32.exe	89
PID 4408 wrote to memory of 2144	4408	Fhajlc32.exe	89
PID 2144 wrote to memory of 2936	2144	Fqhbmqqg.exe	90
PID 2144 wrote to memory of 2936	2144	Fqhbmqqg.exe	90
PID 2144 wrote to memory of 2936	2144	Fqhbmqqg.exe	90
PID 2936 wrote to memory of 4888	2936	Fbioei32.exe	91
PID 2936 wrote to memory of 4888	2936	Fbioei32.exe	91
PID 2936 wrote to memory of 4888	2936	Fbioei32.exe	91
PID 4888 wrote to memory of 4688	4888	Ficgacna.exe	92
PID 4888 wrote to memory of 4688	4888	Ficgacna.exe	92
PID 4888 wrote to memory of 4688	4888	Ficgacna.exe	92
PID 4688 wrote to memory of 5032	4688	Fcikolnh.exe	94
PID 4688 wrote to memory of 5032	4688	Fcikolnh.exe	94
PID 4688 wrote to memory of 5032	4688	Fcikolnh.exe	94
PID 5032 wrote to memory of 5052	5032	Fifdgblo.exe	95
PID 5032 wrote to memory of 5052	5032	Fifdgblo.exe	95
PID 5032 wrote to memory of 5052	5032	Fifdgblo.exe	95
PID 5052 wrote to memory of 1732	5052	Fqmlhpla.exe	96
PID 5052 wrote to memory of 1732	5052	Fqmlhpla.exe	96
PID 5052 wrote to memory of 1732	5052	Fqmlhpla.exe	96
PID 1732 wrote to memory of 2480	1732	Ffjdqg32.exe	97
PID 1732 wrote to memory of 2480	1732	Ffjdqg32.exe	97
PID 1732 wrote to memory of 2480	1732	Ffjdqg32.exe	97
PID 2480 wrote to memory of 4468	2480	Fihqmb32.exe	99
PID 2480 wrote to memory of 4468	2480	Fihqmb32.exe	99
PID 2480 wrote to memory of 4468	2480	Fihqmb32.exe	99
PID 4468 wrote to memory of 880	4468	Fobiilai.exe	100
PID 4468 wrote to memory of 880	4468	Fobiilai.exe	100
PID 4468 wrote to memory of 880	4468	Fobiilai.exe	100
PID 880 wrote to memory of 4232	880	Fbqefhpm.exe	101
PID 880 wrote to memory of 4232	880	Fbqefhpm.exe	101
PID 880 wrote to memory of 4232	880	Fbqefhpm.exe	101
PID 4232 wrote to memory of 2220	4232	Fjhmgeao.exe	102
PID 4232 wrote to memory of 2220	4232	Fjhmgeao.exe	102
PID 4232 wrote to memory of 2220	4232	Fjhmgeao.exe	102
PID 2220 wrote to memory of 1672	2220	Fodeolof.exe	103
PID 2220 wrote to memory of 1672	2220	Fodeolof.exe	103
PID 2220 wrote to memory of 1672	2220	Fodeolof.exe	103
PID 1672 wrote to memory of 2968	1672	Gfnnlffc.exe	105

C:\Users\Admin\AppData\Local\Temp\352991df7fcade06c3487b49126ee130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\352991df7fcade06c3487b49126ee130_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Ehlaaddj.exe
  C:\Windows\system32\Ehlaaddj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\Eofinnkf.exe
    C:\Windows\system32\Eofinnkf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\Ebeejijj.exe
      C:\Windows\system32\Ebeejijj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        28⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        29⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        31⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        37⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        46⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        56⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        59⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        66⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        68⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3688
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        72⤵
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        73⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        75⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        76⤵
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        77⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:728
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1580
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        84⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        85⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        86⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        89⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        90⤵
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        92⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4892
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3312
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        95⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1884
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        97⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3876
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2464
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4452
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        101⤵
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        102⤵
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        109⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        110⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        111⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        113⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        114⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        116⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        119⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 412
        120⤵
        Program crash
        
        PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5440 -ip 5440
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
62KB

MD5
ef7d9701bf34e74303430540c70922a3

SHA1
f6a86d4f3c660b8d455d84a43aa5f8fcf5ac14d7

SHA256
9bfe0fbc9a54a9c2b78e02c26880491ca6c2abe355b27ff84d54bfc0df081268

SHA512
272c9c73c3d3a588ae934152bbbc02c197284a2cdae39bcac2615b553d10bb6f5e9b6987942c4f06a0d4a8f5e56b9c48f2291abc8845f56f478f2bdd08029b35

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
62KB

MD5
c4d203d154a9566f3799952dd0ba78ff

SHA1
65f7cdfd95b6ed73c475dacae61328f5feaf624f

SHA256
6d799717a26cb970f5dd3b8e983977f254801a107c125757021b48c968bd7db4

SHA512
4e182ed2680bfa86b3534cdd18d5aba20032ac15a23ca62f2d24913a52c2131bbc04f0b95add9358c3466931ab4d2fb82667b5f0aa09e67c6b4e8c0f9ea5ae74

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
62KB

MD5
8a9f04e7758b3983f969fe0caf304ed3

SHA1
7a663c60a95b2040b5fb028e0d193ee5fc028775

SHA256
b3243e570a06a92c686eb04e25a153da2b9646c163ee427e3fb690cc68251703

SHA512
da5cd8d772d1edd1a204f2148838f1d6d28b4e4087a55abb1453ba639198c8cd70c4e802f1b09d0a5896d62b7b07f17fbcf20b57223cabf388b664aa5c6e2fd4

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
62KB

MD5
64160034ff5c644bb98a8e3a00f7b4ae

SHA1
3316509f26d9f8ed3c63936cae4d812f0e76b071

SHA256
75520dacbd08c01b41891a6aee946921396399505f616a669f3bf87fb9aab7d6

SHA512
1ae8cad93a9b6b2d3913698f0371c6669d4f0cccf063eeb5952fb96c34ffd23522ea2299a48a83d9da9a5ca9e5bb70704c89f39066b08fee74bcf630f4b744df

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
62KB

MD5
d826ccd1bc5625e970d0d91dd73f8fe3

SHA1
11f6111627b4a94addf8a5d813dc9d7e9979f41b

SHA256
b83fbe4d8766483742ba3e47786ab60bb891006400727427e9874f705f1bebe3

SHA512
057cbf4ea871e5ca6b905d7d1e451b90d7349bb5ab300d2859d3aaad1ee1b5c9cdab8e94cd995a5f6d45dfe24a2e4823ad79e9f046852412d21027ab76e3f723

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
62KB

MD5
accf2fe95561842cba604bdfa0fae2f8

SHA1
3efdb6f19612f00e185510cb6677a38ee8edb087

SHA256
8954e41e42e0ca4a7ba8448e8d3074e3a5cd418ee62309f0253cdff5d44a6b4d

SHA512
af411e85a0e4faa78605cc669c4f740d958ec9355c7dae447974081e32c585a016db83c9129285ff63e3c80ba31f1e7cab7fc718e6b203497fa432f2d49e5e3b

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
62KB

MD5
7f129691d38336c743bf2acc82bd4f0a

SHA1
3ec5cd2302c2a84953b9e1803d36a3ef4f874d27

SHA256
3890395f1198b78b3084f2fb5ec8940bde8ace9de5e4b0ffc4c26e67b73d0559

SHA512
bb412bcea391b5ee09b357d7db2bcbd99b7b545b98438dc7c519be2525a1dcfe4c799b86af02c568adbd90cbbcbbd5bc9018f1d491336c73571f65f5ec764956

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
62KB

MD5
97019d3df69cd3c9a446fe9c8af016ee

SHA1
f9e4316a983de47d6157876ed51ce4cdc7f4e649

SHA256
b4e48ce40e1ee18912187fcefeb0e33a9b51aa9cc380458452d072e533e4c9ce

SHA512
d40dc7da2cb4530eb3af8cf8b57506b2de57123abb22d2dc84847ecf4e7fe6a1186808c0a2ba58c5d7a88d0e8039454370e14347f78d13ab1d33a5b5ceb21f93

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
62KB

MD5
a021e14471c630756bbad028f4522715

SHA1
5c20a02fab529071560034d613c3666d2de80c0b

SHA256
ccf52724bc23be93673e7f7bea27c726c5085a590a4a9ae36772de1e97b38aee

SHA512
559d81ff3d81f0711b520f976b14238a08997c54da010420171e80e1696254c8c844455c9d8d8c4346bc6a6a10e28bb5dc85fd23b5342c331628f24016a63165

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
62KB

MD5
131706d132b3f34eae259c979a4aca12

SHA1
80bc4fdb7cd63f1c40283bcc24c0980864b6fb40

SHA256
146e9f5f5bcb8fd61d67398c5a1c1c045b58aaf7d3014246237de7ab91332182

SHA512
8d3da619c5bedfb6a573934a3ca9ed68a77c2b6ed269b2ef732f4cf06c22626253b9df518af0d432421ddef67508430c902e1565b8e3cad705e39201ab6bffd0

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
62KB

MD5
527a43ad9c78f40a5a4a1dfce9127b98

SHA1
223d16dae5545582bee261ffd0ff904f72d27307

SHA256
3ed93ad0771a7143ef992d4316cbef9682e3a6db6711f4022587d8a9f4e6aecd

SHA512
920d935f71c7f4ce457fa537fb200670d2ef75fb1eecb22826591cf0dae10cfa8ee9bc52a2a2c5d8cf4e98582b23a56f9c1df3577c094f16d188e119036905b1

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
62KB

MD5
dbabfa258ff818c9b784afc0cdc260ab

SHA1
79ba1930864a889bd1ecb88febddd30ef2958c56

SHA256
188fb8564d4f3f37cc903a29a925ae126af5e125d841b0b74e799124cd7c9ea1

SHA512
0b227223b01eda84b5ba57785834d6e754adc9f876e0b1a0b69d3175494fb2db56878ace6bfdf74f179b7af373b8a75392ab2da157a400bf81112dc7f4f8886d

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
62KB

MD5
b41658da05e6b82bd0b87fcfdda785d8

SHA1
ab71dea1338ed850d2354f8de5978635cbe0ad55

SHA256
8a30bcd6ac4aca54ed4b054ce5b7206645764d7f0c69f33525030016df5bcd65

SHA512
335a61ea0ee1cf315783032cbb199cf65f48a0893f8e03bf1033debc2a3767e2c43ef3c332ca460814ccdc05b4c34f8460c04f52b6f2c276108958415c78193b

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
62KB

MD5
361a8a8eae0115d883453f4cc6a97f10

SHA1
a78dda216a6331db3aa1671cc453c4fbc36a2401

SHA256
dfca142c3f00dd53dd70d2149cf0469a43290e90b9ceedd1ebfb344480867244

SHA512
7a04503b06794fa53cdb8abfbed8736c1282b638db9070727d5a8e9cfd336e2e0a427cc3deb1bb4d1ca58fec3532e8d02779df53ee17bb16d5412d77b07cac6a

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
62KB

MD5
249b71cae9d6f8a6d01e5c8cf6a9e2cb

SHA1
eab535c933b4cd0df43cba8e15215a3d9a94abba

SHA256
5697ee31ffa19cd090d38c0d8477e64857fa7b3caec929956aee5f166d1747a2

SHA512
4e88b90fdbb7b2203e558765e8d0b9d69aeffd416a97aa8050a08c2781224e91cd6f022d6dee73b47f072bf1b9d6f37137611785e7d7af38746784ba6f5a2e3a

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
62KB

MD5
4bdc56b923856b06b60b908638796d36

SHA1
f4c3aa0c16ee8fa6210f848a257f090df06594c0

SHA256
21a7bd2286c7ccf13bb3beeeea0ca2e96e0f6ebbf7f6b07ba3d7a72e1190133d

SHA512
90c35f2301450b5e43857f6da0dd977139254cf759ec56520b1affc83dc921a190f6b9bf4e626a77e596e83d093ed967c2546e6ba58d6d8d87594783659a67a0

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
62KB

MD5
f25b3147d3fbcb4f5c0fa1408f4fdb4b

SHA1
0ffb3a894814370ee379b372ee2f902ee6a41163

SHA256
728487a7c7281e0cbd4ed398579e58fe61958608c906c1f7ae228be9fb22dc89

SHA512
45a2645aaa6bad1024b27395e3ef1de4f91d080f67a99323af46507821ca18731abb7732d407fb3fb9d3520be3a4d36c490f114f5e0f241110b187232386497b

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
62KB

MD5
fa25f308ce87d4180b24bc4313f6ac0d

SHA1
f119e8fcc81f0b978a3ec7f9c49b03dcc67a4c11

SHA256
4ce6d01ea61c68f2d1872e8e598a89113a0502fc29c1292e1b4f7b27dc9ea7d8

SHA512
097e13fcb715621202b9efa3d1692104717f52fb49f1fa8d85516f19c0f7d42bc3abd1f813897772871bc0d6d6283911d1817610f9b052f757c630eae3a99c91

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
62KB

MD5
29f9b0489bd84e080ec168c4527ea41d

SHA1
0394aa66a13a6b4d02e1b311e7a886daf1706abb

SHA256
60da61e6d55d82f416c22d8cdeec9f14e47f8d921264312c796785c14962527d

SHA512
eaf7352dae14fca218084f2d9e8b794dc2e028624563f6a168b86255c030d9999b3ed0b500ee4ea4c68d5b52bcb5d8fb80f4705c7bdb04a032159133ee0b5927

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
62KB

MD5
f7001eec7a9ccacf88c499113eaa278c

SHA1
c14aea11e238652d2fdac720c0a0c19355efe23f

SHA256
a8ec5d808cc6a7ae6db41a838f1a0df2a651e173490d497b5414e020c8c0e74f

SHA512
775f917a7ba7e4e2328f8ba692bb883c8e2f7688c51620c9b248b8d2a7f2b957e3c00a306e7468588926000b1d78059d54f977d2fecc722768280796609c2c84

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
62KB

MD5
ca8c18b9b956da18fe3bf02a048b6625

SHA1
82cb0a69962a3a97ce203d9424c0e28f60276683

SHA256
a28726bb2dabaaf8126b21970a3b7fe52551647af1604fd65433529fb00c158a

SHA512
db3082bd12e6765729cd6f3c4e2be933b3e58e8cf12a3ba66f2ddbe247dd47bcc95f4cbf18f015597500935025ad6a1e06d6dc251bd1e824951003de71a93c1c

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
62KB

MD5
4e5097aa6ac38f3ddd40dc0b0c007a35

SHA1
4c7062ee24ad5b8abb839043bee13333cfb704bb

SHA256
458d409cb2e7e57f0cdcde2be9c3eda76f1b34c4425faddac692cc86306344a0

SHA512
76be41b8ed1205ad86e0524fd36dfce6ba0db4593dc394d799972aa41b3de906871194bb3bc1c4dc715262dd7c9a8dbf48ebf1813d90c089cff9fc0d6d7ea5aa

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
62KB

MD5
80f2266e3ffc43287d5f9eabaada1e29

SHA1
1248948330d1584cb3ad2589d2e58a861e804d74

SHA256
84707102ef95d8fdb6bebc7f993350536851f9cecd148aada03dfdd42286e74b

SHA512
3273c5ed795db55b7382586a90d9bcc53ff79985890442ac98b0908c438d04c731004ff3c29a9d05699c1891eaf5c714307c5bb23af73f9735ef7014f208e89a

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
62KB

MD5
005e5539841821580d5b446473740910

SHA1
73cbcd12518016703eef790b7ef272715e1f7612

SHA256
b43e609e1222709e3e5d4be0906a2106ecdff8a9f51a1fe315c006642d0266b7

SHA512
2e08f02c5318c1a0df6127dd73e4a66683121e0988f84d65702fce2116bf67536c36b53eda0cd5aeeb83887c22361cbc38adf9a2c5d74ba21b2e5fb200d313ac

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
62KB

MD5
a6072f31a67db0457b3c950cd81d54d8

SHA1
a4fb928c0e2d89addb137f9fe9c6995d4ab0b499

SHA256
e8ea8b7ae1dc5f16102117b372eb03218df1d32b3b48b3a3a15e19a8d2849ef9

SHA512
c162a978671d6cb85a23cec49115b9f904f7eb9a4758a459fc47712a306eca8c0dda43fb8ec3b4163940803068db8abb50f8cc3e6204d964d9f5ac6d8a81fdd7

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
62KB

MD5
59ccc9b825e5f2f7733e1738f7f8fc50

SHA1
ba05f907c0d9bfd262ae0b54b61e0850c29ae958

SHA256
65833fc161f15030c13e037051adea1531e362e58e35f8be4257852226d044f6

SHA512
a8e66327db1e6d727a54f8711cb1b7ac32a29c3653ec440ff2a7ac50d2c844b04fc68517ad150a37b8e8c837387459c18482c5113672abdca5149678ab7d3f23

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
62KB

MD5
cdb9d5e57040ef328e883f2a2b3a1dcd

SHA1
e845b857aa8eb59b40788bb7237b41cb9d6e24c5

SHA256
266dd3c8bc6f6b2b742c4fd23224d2a7810364f8948d466bc8614d3f3ecddfa6

SHA512
2c62f782d331cd830753cc31ea5ca83d2797c7190d7a173f42a685e64c4b461325e11322a17c8ac6c449b7aec84d1bb36465a5ec37255f0fc483e7766f5841c8

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
62KB

MD5
767196e1a9e1050bee7550e2a389661f

SHA1
c09cd97f08d829bc1f8005bf73ceeeadf6dd9a03

SHA256
bfceeab02fa4a7df05bc7c97c4262527be773e06df3b546472d37b3fae4add5f

SHA512
c32d11638c5c472d87a63b639b99e27f529121420ec5b9ce800712fded93745007cee18c71bf6a210c79e3bc371cca4825da5de4287f79a1ec4f109a14d0e0a0

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
62KB

MD5
4342451b9aef090158cda8a2d99f6185

SHA1
0c20a23b880fbe2dfb02efbaad5ead694c3fcd6c

SHA256
effb5346c90c9f84a4406da24f722fbb2f960fa0e827ab410ff723ce2c244b2f

SHA512
e34c6dde73930e5eebffc9edcd0673a9a8af71e9abc8dbddf2c485176a55bb799e68e9fca216c94c69a589be5967c0873077f5c78ef5d529b5622e2440678e1f

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
62KB

MD5
7a5f7c641525e859d089412dc9ec4602

SHA1
d3e810bdf95fb750a3aa9153ddfc84d511c23843

SHA256
fab510e6755c07a7d48e9e7dcf53a8dca67b63b9edd1a640a9282e6cdc8b3370

SHA512
4ab52d48ab0a3fd9184231069aae34c2c708dfa49c86a757af90d04a4481b0837feee460ed95e39ccac27d7e755f2a5912f298b38015863f1d042813580a58cb

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
62KB

MD5
37f772cc74fef972906290d99db0f3c9

SHA1
fdc0ce96bdd9ce2a29c45774edfa70ed6d7ff03c

SHA256
983d7407bc6d2943143a14af52f4b4fcf41af09ca37ba2581e951def789de4f9

SHA512
2ae6a0d7bed429684930575ebc97475676ebe8e30c6d643cd3d2db05ec8e0cf0161a29736d349ec018905b5a28aa1032080af7c7e30885e484ea875ea44a45fa

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
62KB

MD5
10ae79ddcf3a087b554488586bcb64ab

SHA1
2cdec5d75b1e06569b8c57b448e34a5f3a1e8319

SHA256
0991b54d4908caef6bf731d9baffc0cc4d4b41734640305c4b5bfa4e3878b559

SHA512
42fba699051b54864c1b3d885f97428407bc4cba5748ad96a9e7108d6eb15ce6462e399af3c748f18245b15130d75e91c9ff9ea3fca9b924c1cc730d9ed98ec2

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
62KB

MD5
51dec29b2643a7c47424e33e9c43b82c

SHA1
04ce03ac4023634ad8ece7ac7a16168910e7d5b6

SHA256
d3023ae8822b9086abe90e44ff52318fd2b90d587bc488618aba28136cce4a26

SHA512
19099483438059812558e696c272a479ee932dcf07f825f04609e93c1669a05f0b3f70c1328e577d402384cd9d6cd1dfddef151eaac8ce82c03bb53f11d969e7

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
62KB

MD5
cb794a6be5ce6e2bc73ee144eda8d045

SHA1
ee4f413465402f569f6e3937a984306df8b5e5f3

SHA256
871484a3c2ed02d7fa72780cb50377f99792204d0fc9b0a30b9673ed2d3489a7

SHA512
1ddc4e0221b1f6a099c5e8fb43c6473ebedaaac17e8819055ee07f3b1b2859459e6319c32def71cc30e56ef62d375eaaeb83d13d5386c37fdd2ba1387600ad05

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
62KB

MD5
0c81befae05edd9de26b6f17aefeab78

SHA1
cae6fec337f14c96931463d78575525e3b38c386

SHA256
39f6358fe1449497e3ea3da4ef8133aef812f0996a760b4d05d5af02d68d305f

SHA512
21e7dd5535004f5589e52e2642d972e9789dac1d0f46cbf9844d32c95e86f9c78ce2a4fb8081c1affb636af30a20f813c759056649e98aff2a4a1ed26820691f

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
62KB

MD5
2f0ee51b94e0ec546baa44f095859065

SHA1
f0d4bbb37095429c607aad185e9d0f540a8a567a

SHA256
40d561053d64084395b1c6f5141513624f6f29dee37d2bb332a2df267545789f

SHA512
1ef1030336e83f97e332aa9b9b8cbf3f8c57ab51e420310ae4bdf18f358a6e7a6a36fa016dafcadc1e57654fe1119a60adfcd4db41c46fe2ffd13980ea4008b9

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
62KB

MD5
6d38d8fc2f0792d5c1a2e5e9a4ecc5b4

SHA1
f1c42fd8905e2b6467f31a4212b923d3cffa614e

SHA256
ecac417eb9a8c1bff2d334f350f5108f7622d2444bb5bbed047416086eacb3d3

SHA512
e0de022f4a0bddd06b0594e661c3be08308e1ee285203007ab9ab2789fc2da87135cc10d7c9ab996584ddd6de247fb26d9b2918d06355773703b1b65dcc95a3c

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
62KB

MD5
e104c7ca13571ca080359fd5d9709761

SHA1
e9d75d51f35584d1c8fe3c204b5186e72fde4d7f

SHA256
a79772be43bc96dd03f306c9d11957c85fa114e3478d471550640debd08e540c

SHA512
1f5eed0a7f3c7ec6fbda9c134db01b0d6d62bfb5936c7e0330e2722a6e2beda6e171a42b7ef3e66af4ea36a5484211fb8e4bee034267cf99874bcb5c4a0adbac

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
62KB

MD5
650248b4612e06d8d8f73b99fb04f7b5

SHA1
c29534a41bcae21d93e64bdf58a159bd83514339

SHA256
62b8c86851c0e7bfd4c1a369f9140020dbd99083902a88bef40a949aef63bc2c

SHA512
5251cbbff158d460c78a639972cf69263909abb720d42c6cc8de8d54e87ae7df671e816f33f603ae46fc714d4094dcf523037c19e2949f83d5811bbbef4361cd

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
62KB

MD5
f9a9a927665efb327cb1ee98e7535e27

SHA1
440c6a218f7db8e2e52f69a7c1d2a6cc270ebd57

SHA256
4ce39325e2020a957b1af11e2ddca71d2ca82fc7b33765b3684cb0f4c37dd104

SHA512
49b4ef08c5ae398e13ba98df9b233f063f9b5695fbbe02b42a4102e09ca4577627d47eacf83cf7cf413a31c3fdaa2945a8d72bda84fab4755a80cf27ee127788

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
62KB

MD5
0d3b87fa686662934e640271f1d26b2e

SHA1
0f47709bddd51770bd43814ceb571e56406a8d40

SHA256
8fc90e4c4e3ddcda3c4c96cc19bf98f4b932546e341689ac87afa1962df9e331

SHA512
3e8cabac39bc228441a21329dfb2ba4ef414b8791eebe40112e9b20d4ca9799a602ca3856ff5d28101a8ce73be2e33b1d0d811ad8660b9e2a59fb1cf71113b3d

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
62KB

MD5
4152c6da096568ffbd1addd47576ba2a

SHA1
4bd6c569f6110e7088877f6f5bb73ac8e21fa533

SHA256
15bcdfa482e5988d338da71eab451139386af8b985e04be599a06ffd7dc2da2a

SHA512
a3229e53842b6f3f8cf9da7581851a1294a13f1327ea7a7f0821d674bad60b955d082548a10697661d66844e1ff469451c78bc3f067f093ace6316d5cf06e1d4

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
62KB

MD5
ad6ef96cd18a63191eed3167b39307eb

SHA1
8168be42f2b2ddd5dc3f651c152d2fad8f8892c1

SHA256
916b463128c6a8c1299e4358b1565e40b17efb2937d28c94fcd679cf52e5ebed

SHA512
8330a8d736a52effd61e4bcfdef28db02dde9ff4bc51944fdebea5a89dee59f725257f4564386028e70806776f6cd7045285dcf9319853cdf0f33632ae5bc570

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
62KB

MD5
a233fa0eccb13de7b231473992d38184

SHA1
dff6416be516b69a6d84d760d019de86314a1054

SHA256
cb345a077aa28ecdb09fa1fdb76326c640d88c8b06526e2e5122d415a7dc945c

SHA512
2e39b2c1b5af3b1d7d6fc190e7345be39365b399019ecf9028feeef962b7240f06102217c77d404b4250a8511bbc6845e82c0d050d546d93ec2f1e527a89b932

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
62KB

MD5
0434fb4c030da21adf9706bc8ebf327a

SHA1
a8e1248d1065f14b70bde6bf5be420f626ebc713

SHA256
969b31d10c2e3b7d2d0411468ad588985fab1d21d02b1138428ac67aeab81b43

SHA512
dd1e1f8f718addd6fe8183d17c37cb1fc9d96949c2ccc0e32c5ef0725f54af8cfcb8a1523761a6139133fda3f7dcf86f92622f24ef531c6a998e1b2deacfb743

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
62KB

MD5
317e7dbca715bcb3fc3c90aabf520781

SHA1
b8e820ef51f476ab8aa223fa9a8bc977c1849d3b

SHA256
63d9fca67abce2b375e54c69bfe01a42852b2d6b79a71d44e25583312a8a6f68

SHA512
33998fc70f8d96e3b3ac4531b8e650af3bf6b1a2da7fbc992501fdbda4abebaba06e38cdc12cc5a0d47913ddaa59380cb484a794ab80320246a04071c4c22fea

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
62KB

MD5
bd978801c2a789022c40da5e251ce22e

SHA1
f6bc1808709fcb801d5bbe46898dcf6da0fdc1ac

SHA256
322fc156549820456ed8e16e4df2ee4e0b756be5f87cb8862f5409207c226de9

SHA512
706dd031b637587d3b84d8c3f2e56f4f47f7f1521026c281b4ee3f022ab1b58f32140ccf5543082ba02fa496c3a9d402763d198a54b502810798418d9c15c069

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
62KB

MD5
5584600af49b48e5a44342124629b602

SHA1
8ca97aefa55eacca9da5deee367d8a47e63450dd

SHA256
c26c860870feac115f92c76fa96985fd4685c8075fa724493d6b312c1fb8dda4

SHA512
ae7f325548eec819ed4460145719bee7742be07a613cdf40c78b8b244e039084817ae9add01f112daf78c2953108b1708ca7b62c7b75c6b60e91b4e4dc69e0b8

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
62KB

MD5
3805306ed7ea3cf946b683bd644a2804

SHA1
48d96497d99a54bdd871b366613dfea2bb4e0059

SHA256
93ab1f6cbe11cf2aebaccace8195eaf57fdb727f2b22dc18b4c633f48ac18ec1

SHA512
793c9534dce4c4004a2815c87cd01fe1809ebb72cb605444937064528943e1a240fc3bba8e34617f319ed4536e1620cf18bb5deb1c3863168b79a94dd9842753

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
62KB

MD5
7de54f8aa1f2ab90f6ad5a716279b526

SHA1
b9d0cbf02bdaccc6ff5b3bfa5bc2147a4465e272

SHA256
42cd709fedc4c5e3c8049261cb1e98a1b230953979bc153c29fbd517b7c2b0ae

SHA512
6ae283b4aed7e3452e1998d8efda493938e0623bcb8d617cc6ad6470faace5ad6a0146e428bb11ffcabc3f724e2b8b7ed2a0ff639029de7d65784e5fd10c8a68

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
62KB

MD5
96d0209d4d6485e91211ba764483e247

SHA1
19e8898b4ba56f7a0d7a7e0ba1c12168eff1c010

SHA256
c60050f057b821b122fd0dec1e1f7c13f334ff066523955a8ec7ad0b32da8253

SHA512
e08abd8c94dd193171cf49cc49e132a3601b9451a5f43b755bc18091699155f51dd343eb2687994f70e7c27a8a456e8d0d54f7bf03662b67be5d62c92f59b692

Download Submit
memory/544-325-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/544-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/588-107-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/588-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/676-416-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/676-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/748-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/880-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/880-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/976-389-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/976-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1060-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1060-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1112-410-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1184-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1184-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1240-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1240-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1348-196-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1348-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1416-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-417-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1732-126-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1732-213-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-403-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2004-368-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-393-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2144-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2144-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2208-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2208-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2220-258-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2220-172-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2480-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2480-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2636-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2756-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2756-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-409-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2816-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-402-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-367-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3216-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3216-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3304-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3304-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3452-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3452-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3592-382-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3620-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3944-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3944-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4156-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4156-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4232-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4232-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4288-284-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4288-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-277-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4408-150-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4408-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4468-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4468-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4608-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4608-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4688-186-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4688-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4888-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4888-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5032-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5032-195-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5056-396-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads