5fde70d522ff89e19c2f2a1e22f78c59f5f6616d0be7422ad876c4a23916766f

Analysis

max time kernel
139s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86b81666b4dbd4765055085c15006910_NeikiAnalytics.exe
Size

101KB
MD5

86b81666b4dbd4765055085c15006910
SHA1

91887a08fdc40834f251eca52ef6bf7d968cf517
SHA256

5fde70d522ff89e19c2f2a1e22f78c59f5f6616d0be7422ad876c4a23916766f
SHA512

093f740d49c9126d8de468d42d35cfa290ccf029ba4f3b142b2dc98cb9dc09bd4678866177d132204f53d57cc0b35bd834b0811a6caf560f53410b1cf68d313b
SSDEEP

1536:ioOJJ1iT2/KNcdOYjzXtuXqbyNXrg0sZS7qlDABU8B9HYcJvDX:iosY2/1/duXqbyu0sY7q5AnrHY4vDX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe

Executes dropped EXE 64 IoCs

pid	Process
4004	Fmmfmbhn.exe
1224	Fcgoilpj.exe
4328	Ffekegon.exe
4028	Ficgacna.exe
4712	Fqkocpod.exe
3656	Fcikolnh.exe
4800	Ffggkgmk.exe
4704	Fifdgblo.exe
4212	Fqmlhpla.exe
4236	Fbnhphbp.exe
636	Fihqmb32.exe
4988	Fobiilai.exe
4776	Fbqefhpm.exe
2500	Fjhmgeao.exe
2780	Fmficqpc.exe
2208	Fqaeco32.exe
4396	Gbcakg32.exe
1712	Gmhfhp32.exe
2588	Gogbdl32.exe
3348	Gbenqg32.exe
1344	Giofnacd.exe
2416	Goiojk32.exe
4572	Gbgkfg32.exe
908	Giacca32.exe
3320	Gmmocpjk.exe
1496	Gpklpkio.exe
3928	Gbjhlfhb.exe
3728	Gmoliohh.exe
3436	Gpnhekgl.exe
4284	Gbldaffp.exe
400	Gmaioo32.exe
3100	Gppekj32.exe
1848	Hfjmgdlf.exe
2732	Hjfihc32.exe
4848	Hmdedo32.exe
2028	Hpbaqj32.exe
4748	Hbanme32.exe
1436	Hfljmdjc.exe
1420	Hikfip32.exe
4888	Hmfbjnbp.exe
3004	Hcqjfh32.exe
3188	Hfofbd32.exe
5092	Himcoo32.exe
3036	Hpgkkioa.exe
4340	Hbeghene.exe
4520	Hjmoibog.exe
464	Hmklen32.exe
5064	Haggelfd.exe
3572	Hcedaheh.exe
1540	Hfcpncdk.exe
3032	Hmmhjm32.exe
5068	Haidklda.exe
408	Icgqggce.exe
924	Iffmccbi.exe
1076	Iidipnal.exe
3644	Ipnalhii.exe
528	Icjmmg32.exe
4016	Ifhiib32.exe
4356	Iiffen32.exe
3216	Iannfk32.exe
3764	Ipqnahgf.exe
2376	Ibojncfj.exe
5112	Ijfboafl.exe
3692	Imdnklfp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2424	6176	WerFault.exe	257

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	86b81666b4dbd4765055085c15006910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lpappc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4004	2260	86b81666b4dbd4765055085c15006910_NeikiAnalytics.exe	82
PID 2260 wrote to memory of 4004	2260	86b81666b4dbd4765055085c15006910_NeikiAnalytics.exe	82
PID 2260 wrote to memory of 4004	2260	86b81666b4dbd4765055085c15006910_NeikiAnalytics.exe	82
PID 4004 wrote to memory of 1224	4004	Fmmfmbhn.exe	83
PID 4004 wrote to memory of 1224	4004	Fmmfmbhn.exe	83
PID 4004 wrote to memory of 1224	4004	Fmmfmbhn.exe	83
PID 1224 wrote to memory of 4328	1224	Fcgoilpj.exe	84
PID 1224 wrote to memory of 4328	1224	Fcgoilpj.exe	84
PID 1224 wrote to memory of 4328	1224	Fcgoilpj.exe	84
PID 4328 wrote to memory of 4028	4328	Ffekegon.exe	85
PID 4328 wrote to memory of 4028	4328	Ffekegon.exe	85
PID 4328 wrote to memory of 4028	4328	Ffekegon.exe	85
PID 4028 wrote to memory of 4712	4028	Ficgacna.exe	86
PID 4028 wrote to memory of 4712	4028	Ficgacna.exe	86
PID 4028 wrote to memory of 4712	4028	Ficgacna.exe	86
PID 4712 wrote to memory of 3656	4712	Fqkocpod.exe	87
PID 4712 wrote to memory of 3656	4712	Fqkocpod.exe	87
PID 4712 wrote to memory of 3656	4712	Fqkocpod.exe	87
PID 3656 wrote to memory of 4800	3656	Fcikolnh.exe	88
PID 3656 wrote to memory of 4800	3656	Fcikolnh.exe	88
PID 3656 wrote to memory of 4800	3656	Fcikolnh.exe	88
PID 4800 wrote to memory of 4704	4800	Ffggkgmk.exe	89
PID 4800 wrote to memory of 4704	4800	Ffggkgmk.exe	89
PID 4800 wrote to memory of 4704	4800	Ffggkgmk.exe	89
PID 4704 wrote to memory of 4212	4704	Fifdgblo.exe	90
PID 4704 wrote to memory of 4212	4704	Fifdgblo.exe	90
PID 4704 wrote to memory of 4212	4704	Fifdgblo.exe	90
PID 4212 wrote to memory of 4236	4212	Fqmlhpla.exe	91
PID 4212 wrote to memory of 4236	4212	Fqmlhpla.exe	91
PID 4212 wrote to memory of 4236	4212	Fqmlhpla.exe	91
PID 4236 wrote to memory of 636	4236	Fbnhphbp.exe	92
PID 4236 wrote to memory of 636	4236	Fbnhphbp.exe	92
PID 4236 wrote to memory of 636	4236	Fbnhphbp.exe	92
PID 636 wrote to memory of 4988	636	Fihqmb32.exe	93
PID 636 wrote to memory of 4988	636	Fihqmb32.exe	93
PID 636 wrote to memory of 4988	636	Fihqmb32.exe	93
PID 4988 wrote to memory of 4776	4988	Fobiilai.exe	94
PID 4988 wrote to memory of 4776	4988	Fobiilai.exe	94
PID 4988 wrote to memory of 4776	4988	Fobiilai.exe	94
PID 4776 wrote to memory of 2500	4776	Fbqefhpm.exe	95
PID 4776 wrote to memory of 2500	4776	Fbqefhpm.exe	95
PID 4776 wrote to memory of 2500	4776	Fbqefhpm.exe	95
PID 2500 wrote to memory of 2780	2500	Fjhmgeao.exe	96
PID 2500 wrote to memory of 2780	2500	Fjhmgeao.exe	96
PID 2500 wrote to memory of 2780	2500	Fjhmgeao.exe	96
PID 2780 wrote to memory of 2208	2780	Fmficqpc.exe	97
PID 2780 wrote to memory of 2208	2780	Fmficqpc.exe	97
PID 2780 wrote to memory of 2208	2780	Fmficqpc.exe	97
PID 2208 wrote to memory of 4396	2208	Fqaeco32.exe	98
PID 2208 wrote to memory of 4396	2208	Fqaeco32.exe	98
PID 2208 wrote to memory of 4396	2208	Fqaeco32.exe	98
PID 4396 wrote to memory of 1712	4396	Gbcakg32.exe	100
PID 4396 wrote to memory of 1712	4396	Gbcakg32.exe	100
PID 4396 wrote to memory of 1712	4396	Gbcakg32.exe	100
PID 1712 wrote to memory of 2588	1712	Gmhfhp32.exe	101
PID 1712 wrote to memory of 2588	1712	Gmhfhp32.exe	101
PID 1712 wrote to memory of 2588	1712	Gmhfhp32.exe	101
PID 2588 wrote to memory of 3348	2588	Gogbdl32.exe	102
PID 2588 wrote to memory of 3348	2588	Gogbdl32.exe	102
PID 2588 wrote to memory of 3348	2588	Gogbdl32.exe	102
PID 3348 wrote to memory of 1344	3348	Gbenqg32.exe	103
PID 3348 wrote to memory of 1344	3348	Gbenqg32.exe	103
PID 3348 wrote to memory of 1344	3348	Gbenqg32.exe	103
PID 1344 wrote to memory of 2416	1344	Giofnacd.exe	105

C:\Users\Admin\AppData\Local\Temp\86b81666b4dbd4765055085c15006910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86b81666b4dbd4765055085c15006910_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\Fmmfmbhn.exe
  C:\Windows\system32\Fmmfmbhn.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\Fcgoilpj.exe
    C:\Windows\system32\Fcgoilpj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\Ffekegon.exe
      C:\Windows\system32\Ffekegon.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        48⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        53⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        55⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        59⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        64⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        68⤵
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        69⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        70⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        72⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        73⤵
        Drops file in System32 directory
        
        PID:720
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        76⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3828
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        79⤵
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        80⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        81⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        82⤵
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3252
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2364
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        90⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        91⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        92⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        93⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        94⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        95⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        98⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        99⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        101⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        103⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        105⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        107⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        108⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        113⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        115⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        117⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        118⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        119⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        123⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        124⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        125⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        128⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        134⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        135⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        136⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        137⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        138⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        141⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        142⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        145⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        146⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        147⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        149⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        152⤵
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        153⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        154⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        158⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6764
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        163⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        164⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        165⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        166⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        169⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        170⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 408
        171⤵
        Program crash
        
        PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6176 -ip 6176
1⤵
PID:6356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
101KB

MD5
b57b953374e790d6d06538bf9ca00590

SHA1
ba298b5997175db876cebdc426636edfab74fb80

SHA256
84f0f932c2b65894a193f65c5c1424d4af7398c6cdc3e89c858ccbd51da6fe52

SHA512
1ba607659650375c4dc5f61c78b638a7d8ae3bd4b01b534156bdf966d94f4af99a9afd1d770c19f906bab984c7a4a0f06ca6f9a417b86e96baed200d62800e85

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
101KB

MD5
dfdb0ed3f5a764f42a027be07bf9e2fd

SHA1
caad3a4f138a7f1b0815bb6009daf2dafb9554d8

SHA256
74bbddd8456a9295ec6033f9366126d3bb5629f7b49d47bd6c14bba130b97e74

SHA512
b7993ff0181ce0382abbe70a01367784d58fcb59b63e67d45bf632ddd315ec9e635a989c96917d7fc0502222e051586f7e5d0c17c04deaae8fcfeb0792cb05dc

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
101KB

MD5
db59eab48cf4dbd0788771f455724430

SHA1
1acd861a7797a14831c12b7003ceef22796e9c89

SHA256
348a16595b938ccd8e2505989d87e1fa7cef90a3cb4d69c806758b9d44f5e0e5

SHA512
03d4155f828945445ac312ba8ab58a401d58acd58e70756b5e15744cf0944f55961652db1b75b8700afcaaa087bcd59546c0df2a4e3f8f06b4e7630933a65fdd

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
101KB

MD5
743fd102408fd6d57f3f60c7a3bd11fb

SHA1
139a8888b95bb13124bebff5f59e97c7260a80f4

SHA256
6db06672063ea39dd7aef573274c0163304c09f8f28b97e0a808b73042ed4ffe

SHA512
2c70b210951c34afd991a2f1d9f8d7ed5bd75b1862f80f2805b365dd0e60ec83061dd00bf8e72f4005c18f2b50bdc589049dc162851e73e5b89d1a496d7a67f3

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
101KB

MD5
969dce73c8e0460f9ca36a25402cc949

SHA1
166ae38b3d3ead4eac46c1d3f5b50bba28e6f539

SHA256
1f70c87732678bd07e4b1e54ca8faea9fc93cc817b816ed22868c7c69b90d627

SHA512
5cd182179c3c82ec2d0c1fdc0e59f1f0d952871bb3db19cdb629949b9ea68f0d4febb88d9d5908aec3347511d632bc851665bb943fe8e889eb69a683d88440b7

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
101KB

MD5
ae77bda9ed2b0ab6f80b1737b513114d

SHA1
240407880b3796a3012896045d894a5cd01d76d0

SHA256
a9b53f8fcc74f6cda0fa82fe1f1c734657ec8e09ebc62e8fb2fd237731a08d46

SHA512
f89fa839dbad9fbe48635c693f3b969c326dae171377aba692b392c1977d424daea7a7432f378a6117a49c376f070477e9a7b325a4e85de0079ce28aabd49e1c

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
101KB

MD5
b8d343cee69edafb2cbb61268123cfaf

SHA1
1e39dab254409731099fcb626951bc65bb93d54e

SHA256
f1b7126a6e9934eaefee30146204fba325418f5973103f62c0745373c9d90fdf

SHA512
d3c443f18ae900ae428d92cf6176a3afae3ec8c3c1421d2978b84501a906caa7552add00ca734696b5760533c443127dd0cc3c84666d9b775004a962ecfb7b43

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
101KB

MD5
75e0dc2d9f71646906927a067f35c782

SHA1
a304b7dd831752bf2812604e9983535443af866a

SHA256
92fd3d6a2630e269314e2b10e8f20054ad1130096d1809a8f664b71f4135e5d1

SHA512
9030a324d77e706cae247637d6fc1da5d66d0ad3f9d0b0a9fa617da27481e1f63e9ca42245f139f2a563be13d69f5d222d2c2187c1e56e67f9c1ca405e5d30bd

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
101KB

MD5
150d27991958b5c7b0f31598037bc338

SHA1
cb5ba87e84ab81e45003e5fca6a6cbf2593fc704

SHA256
447f995dbaaff35b30132158258bb0867e27b2398858517809f444ae2fc533de

SHA512
34b11ac51d80c39dffa9ae5a122a8dd7c40b913668eed7098902c13b9ebe6c18e7d7d6ddb24c220d708be376b096805c43f087c42e3efb73881e3ec2c772d12f

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
101KB

MD5
fb9f477ae34dd48f4e112ced65f14a2f

SHA1
59fb2cef7e5d2d720abe1016fd1db28a600502be

SHA256
1ba0679723b402afc05956baf43b8b7a2156fe799ce01f33466414046ed339e0

SHA512
bedf03e4b11a7df8b03de91da2ff8b8fbb3591ea7d45b3f46133c082b4cb0e4c969a9b86e2225c84de9e36d781f4545e19b28cf8020132b131f65f4900de811f

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
101KB

MD5
c07647c69b1774eec7b2a6defc048a20

SHA1
a5106c4dab10375dc76e96636180696afd2692d7

SHA256
bea80a03831508a38f76044189a618166c37a923b2dc3eb2731ae95dc5a741b8

SHA512
01e8d449cc9b74402bd4ab9fd4db3b98921ba11f4487b6ce3526bb2db303a6fb0c630f704cda6f03ce032bbe98f0ab8bdc4891d964e6216d97d55a4f3342ffd9

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
101KB

MD5
ccaba78f6e79b58efba0fef7556534e3

SHA1
e7215ab1efc93b9b1e5ddd05aee2f8f27cc99bb3

SHA256
ff0b08c1f76d10dd8cb4a78ab25de703a0c23106d8d3362cb0225ef5f5bb146e

SHA512
fb001f86bd0a398d1e0896fda7b162f4340c665128717833d1bbb980310b80b649c3576949bd5c5b866161f8517649ffe8b679f5822dec3c0c2d5b95aec7a3fe

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
101KB

MD5
c0d2ca38c40a3d8c973dec5676ace000

SHA1
fd5fd47600e617cc7988e64bda4e2b0d510b22a5

SHA256
962107cd36d8a495823cca3eb0fccb71001296fdab6b4079ab75ef31d262805f

SHA512
2b7339cbdb4f4339116ef1174b3965710ce4b5c74dc27655b5c5ce6e9aacd9b9f3dd538b003d1e4d825153526f09f142d6015a25fd61c38a9151194f07c5851d

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
101KB

MD5
673e4bff8db808d6483d6794a3bb9cce

SHA1
cd3f92116c185d7ee458d507e19223963d7b3ccf

SHA256
dbee47a774dab2e20545b6085d208177d8f2f525ed40bc17cbea7879e3b68c47

SHA512
1b2d16d10b8b5976fbef7335180097113522fe9cfea241b4b5e26f2e7473419406c62e80b131312b3f9ae571cb80715d4b4b6e9125f37014d74d3cbfbb0f37c5

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
101KB

MD5
991405b38107245088b488c357568feb

SHA1
bad3b101723f5089f1202cafff8fbb1fdc6ff980

SHA256
b4a740cba271680e549f0869eea4a965816fb18352008637a0d248a73da71a61

SHA512
471837b6334357761a4bc18491ef05d81b356906e6fd2f87b1549dd751e345eb3306925eb3cd44ee3e0410c0d7447d5688fc8da3c3d09953e7f1ec1b61e56c36

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
101KB

MD5
aad2d58cdf485cfb881f417be6744b29

SHA1
e1c7123253238e88947d899d071c20466825b438

SHA256
b7731ceb9620c33d46b8d4c3f8346af91268be388d085f81d473fd88c56798b3

SHA512
027b22479fa9f374cfdd715b8792d42727e4892b582e4cc6ae22b56e753837e5729bb9791bcc0397bc8bb0cec3149e74057fc60e28c6babf96f9192858089618

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
101KB

MD5
f10ce213bf35f22dba922830b470e354

SHA1
cc0adad9a49363644bfd48d411163352f11604a5

SHA256
50671434f4c006fbc56d65547e2a53408abdd8cb3996cd61d8bc5761446cddb7

SHA512
8f2bcf5380b9a85ef315ce561a7451e7f9490ab8a37ba8fa5fce16e30e7c62f5160e141ea0db977c907084c59e6e5d2a82d477ce76885b4a6ec8201fbcc15c87

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
101KB

MD5
6764b0c00769b3c0b78d2718fc810e46

SHA1
c957d9ac1ebd9fc47d69192579f91175a648efdd

SHA256
2240c9cf52f561bf858596d705258662b3e201a13f01da9bc63d59d29c2882ca

SHA512
be14a3ecf0c9e3956eb4eb069c3db5bcb3ccbe1d258ee2f30be98abb0a77b317308bdb660cbfc1698045bf66b18b4f45bcd2e725cf360770c10e1526f9a60fb1

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
101KB

MD5
b3861ec49df4a31aec997be9b4a6fa95

SHA1
ecbba982bb8ed490cd1ba36ecb17bd4ecbaba1be

SHA256
bce1c141ccfa02397c60ed6a5bb6002519c1d679d34e913183c5eb758a72fbe2

SHA512
822f13b01cdff858c0571a357b9c2474df4b4174be6bb0ddd7b991dd0e1eb09b845f2f4bb7f4229316a247f0eaa0edd9d76433c8dc6feb62f4adc9c85738299f

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
101KB

MD5
5acfa1d0cd4a48ac364adb00183daec0

SHA1
41f629e04ef52fd54d2aa076922e5785b3cf5bf8

SHA256
a279528a0846a8b2950797ef0c2c559e45ae098a893954b19ec256e217f4e3c8

SHA512
b659955f3da5fccdca301f38da9652951cf5c2383b6c08a38e78df4159a864e4524bde0a5f70f6857ebfba67b8b5c4b9f7937d6f28bcea39b3e8d484f03d8e8c

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
101KB

MD5
7e63d1280aea462cc66d92253816b048

SHA1
46e59f969e576b69c624dbcb7ebd67d488ddf91f

SHA256
5bc618b57a4a3b975c86772a6ab2a85ce24c6a247f217e72317a58a91af26731

SHA512
ef93a06fec65fd87828b59b8d414d5406845420d034401d253c71ab96b69a0eef1621c8d2322e1932e345698a415c4ec3476fa7a311b70dc98b416199f207329

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
101KB

MD5
bf9db7dcdb822875e054a84a55d4d543

SHA1
877bc5743990479ead65a8c3340925afd509f3fb

SHA256
ba806da188e6d38816f4cd59a6ba2bb40521432672aa6138b815f767ab683a39

SHA512
6ba738d71506c085c742f55f3ddb7e61fd44fc5c4bcaa0d7ad073545c3d24ee0f30bd1db98a20d1245faa0bc47d8e5b1d325c99ef17be210404be9fd19c94526

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
101KB

MD5
ead8474734180d7102bb61f4c90e8d76

SHA1
72bf7c574e5086eceb6e7d0911153564cba780e3

SHA256
a72812db5a82001612cc7e6f4bf05bb0897f48925eabe7cfdf93cd832b1a76ed

SHA512
68f51c2df9b6183cceedb639dc7d2ffc57f8f679f71ea0656d49a44c25ccd329987aa759b1d44049e2b13581399ff544230d0619e2e9c1392e63cceaf2c371f6

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
101KB

MD5
b8bd51ebe54e77cadb479cdb68e6d764

SHA1
ed5a301196de14ef4f4b7384b6e44c251c616f73

SHA256
b3692e657b728aa83c004c7bbdee01fed7c2d3982c46a185b108e5d2b59f886f

SHA512
c48c209ac59a5e59328c7725530603dfa888510232f82fae0b148680db0244dcb7dd5b656438195b8f06cc0f3e36b34fdd2c42b2b89fac74163de43e20162e30

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
101KB

MD5
ff3879eaedaf348ceaed17901dd4102d

SHA1
2cb7c223a5924bc4853b62e13fb23f125ddfda0b

SHA256
308c6a294f6e52de14a193b4398ac779e051a1af207c2c0eb8386363890c2a60

SHA512
72997733f601a7761fcbd4f1dd20223899fec5870621eaa206a467da38ea00dc3f445a60d940a63349cfbcd7a0cf7f0069ca3349b6c44d6e50662f1a98e058c8

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
101KB

MD5
df043b06139c763422c3d81c01ba6963

SHA1
657460dae163ea0f51a4e7b33446fc3449377974

SHA256
f480c18c69c1445ed61c2dceba60274ca937a1c17f96c2fa86358374b6561b2e

SHA512
58e60124432faee26722ac00998856446e88192becd04903ad2a483c66f8dfe3cb562f3a32c10d5f74459d55eb32e66ae9fa2b81c67d79c18caccacafefc7129

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
101KB

MD5
7d2152ccbb3ec68f8935f119088e12f2

SHA1
69345d5dba0e1d78a4957726b9f8a03739ad8c06

SHA256
31ec6a83814c32d2bb7566ac1f2f56d7b14a46a3ea8933c5d22d005f675b661d

SHA512
7f3c8e9f4960a0f0636ff7fb4fe60a9fb66bb4c4763947dd414140d1816cd49480ff865638797a2191499de137af669a3423ecf321628df54ef96ca0b430a9fc

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
101KB

MD5
5ca80b20ad92333f27c93c914d97ce54

SHA1
d5b6f9bb7f482cd4da2b4e74afdb3840eefc8f44

SHA256
01672d204fea60f38d5086c2f860ab5b5e606b59f7cb80439d48a9b13c05eff8

SHA512
37dce5c631820cca8a0238ea141b25c146b795ff32d03087b2113ecbaa1a4519302e28c02ebdc77509faa712aebbdef5f0b1e3541884407d1a6d1c1a9cbc5e02

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
101KB

MD5
45b264ef1778c4fc2cc7d1c1dd5eb275

SHA1
9178c28547853451a69c4a47b4bdd989818c10d7

SHA256
bf81dfa6ff20b42236b746d8f421ee3b4a9209ef7aaa9def0cdbf68bd22325a5

SHA512
dd29711f205c7b9475e32d769d78d38e42a00f00f9874b2a668876df92388076e54168ce8921c1faff05dfefb06fb302246ed8272c74b3e1765617e4a1f66287

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
101KB

MD5
1693d8781db57e193d24fc6a35e5cbf2

SHA1
bfeacbe505c0b6a5aa5edcb1c7164b69f00da58d

SHA256
3d1d5b53939c469cb650c8d1670da717a8820e621687e9fe282ac17a1a989cd6

SHA512
94b3e543ca3d87fbdc1374439ed88cdfdd03c6e119066eaf2f49ec381b54028407264c9c02b3e705bb3f24c93e65aa2da2976dcf88401112be3800b50e040a17

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
101KB

MD5
8c7d0004f58397a43721a08b1eeb32b0

SHA1
3659ebf74a4ea56ffa9a2793a6a4248d4db3d6f3

SHA256
7cc6f1fcabc83379ab5c65e1b31e2fe5573efbd8324d8bce94b5f769dff5db71

SHA512
0c9303c10b0d4a3a1a6de26f3eff9268a2088212b86b131ad6f015f0fd1512eadb2319f8f2b704e348520daaade1898342fb58686bcb4d86b7b85a6837069922

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
101KB

MD5
79c7c2264f7e52e40f63a8d7d48887d5

SHA1
74d24a713ba557a3158debd4b32ae5d843cbce69

SHA256
d64f1db2303ff746833b44fc81222a24073ccbc50d749ee231816d155871f113

SHA512
cdbaccfa5fb36924677db27205a5fb17e5a57fc1194a58f4756436f3c2ff650b05faa614fd46ac934f09a3fef1c68d7849a44c5f5a41ce6b7b085cad79a9e435

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
101KB

MD5
2dd940c807582fe1eb48420a5d7e665a

SHA1
73ced4ea16a29ecba6987392792c7008cd6f0f08

SHA256
9f84a9c6ba1fb60d6c253113d1cf19d43d2d591546bab674dcec071942c56fec

SHA512
22c9c053a66d57bb088803bc261dfeaf1e9905fa4bf3c5795c7533072170c22e7763cb9d2fc1fd8a05857b873c7a3a7fae8536bc89b0c9a04e40f91d4c49e40a

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
101KB

MD5
ad5fa6ca77efdf37aeebe776675bf6ca

SHA1
f94ecf8d7ee98b0535d715847291dbecbdb1ff35

SHA256
2832ed3a40f3d8e9eb83e276eb6fb60e2fa443893499ba3b5bdb345beecb4ab8

SHA512
7d2ddfd38ee9660800efadce3b4741a3fbed5f9715d5c243e6ed2a9ea1ffb8edb05abc406017bc6f59f150d2d033e2cc6b5e8fee1125fa96d902ccb3eeeff951

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
101KB

MD5
92b5bcde00010f0b81a7efb6a1830e42

SHA1
d8238e2ebd5ff815ad649b6f871d8917ce099310

SHA256
594466a1bfc9f46398b04a24ad9974cecc3ebf64c01deba563304fcce94e07ec

SHA512
8d48fbf6d57f095bdb3d6c481c27c0725b993fd64f454fb60ae13515a6a1d7935d90852759c6b4450cd4a39fb922c137af3a693c82ab89d0261358b20ee77115

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
101KB

MD5
60b2ef3f1be7c7ac3ba46e4fb7c22c4b

SHA1
44710db729607fc9be69f4751e6878578a56abab

SHA256
0403a5ec030f0a5ed17ddbd6646fa32cc2d5065775c90c295a0a9cf331462d75

SHA512
173f4574e7c04b6d3aa4676bc91958347031149d7d2e95094258f68ce1c7df61663fc48710eb7f16c0e5e793ff1c69776698ac897a77fbf88908f7e0cf1ddc7e

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
101KB

MD5
6cd6f2563a64ed1752c3b3a773034556

SHA1
a9bd58c222faa114854367f09d8387ce54481414

SHA256
9f963598dedef90f978e8c51360926b81b40b22ef1215d404c9818567c7263f2

SHA512
2354ce70314e8e23883f975e0c5e0bf2e655ad3a7ea848729a954ee4da661d41f420bd3de07bf8232aa380912ea820c120051b1e99ebe3b6df1c8a20d69d606b

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
101KB

MD5
03d9226a9a8874eb0fbd61dc84273a1b

SHA1
1b10c5738f5c74df81e7f4e91c94c8739821852c

SHA256
c90c4e8f5225eeb746c35ebb5c7be47ec41f700c708932ef5b5d83959982af69

SHA512
59e20eab4a75b6a79afd26dde5636dfd1b942c7bee7591a1fd65bb97885c70501ecbd1f8a9ca346a35bbd91c35d8e6b658cfa43bc55c1c214ed5e7517a485053

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
101KB

MD5
2911bef703f12ee5c6465856cf35339d

SHA1
34bdb66a7fc7bb21cd4558995f0253ab5b2f1a1c

SHA256
fbbd7da3c077a4f410dc61856701e41c23a8f1f7eea77d27445f60b97626326a

SHA512
b0319f4316c4f15f01113d62eb437c6d2f27d44004d8f91eb2fa218a15e27280bca701f8e813218afa018f4f7f120f45e83488a611931594e73afd31bdb86f02

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
101KB

MD5
dd6b66028ec15196e01726d385e0aa00

SHA1
9b98f8f66b3ea03ce19adc92faaab58fccad1862

SHA256
50bbd3276cc47fc8682bee0b39f2aa5a3ac65012e50763205899f0a7f1309530

SHA512
ee0db3a88a2ca27c3db3b5ce6aac19260401937b39ab241fa0a78567e20930224db7502795c41714e438f57c487d4c362940f45510c90054520bf23a74e0f784

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
101KB

MD5
61fe5acfa76b322ec8ab600e4d8c6f58

SHA1
05a14e35a816494d75b3bbf07736d44454817396

SHA256
e87a456a821555f2085eacf17e7774a6353f3fb6665ec5403864af023fc9bac4

SHA512
828bcfcf084c575f1f63fe1c8b8c0c60a45d9a182146a87510dc72b06ed135440afb2654ba73017ec9e9e8fdca452c78966a1cb0543c520987ec3cb705912ce5

Download Submit
memory/400-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-590-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3572-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3644-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3888-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4072-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4356-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5820-1189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7148-1146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads