568622c69fc612e7b75cc6392d9c971964f7f42c734057ed4c77f151fa78dc16

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a00bfac83a86664b3be15bbc9df4be70_NeikiAnalytics.exe
Size

71KB
MD5

a00bfac83a86664b3be15bbc9df4be70
SHA1

49601d61de1b32cc0681625aaf376495e4ee66ad
SHA256

568622c69fc612e7b75cc6392d9c971964f7f42c734057ed4c77f151fa78dc16
SHA512

53ee4e36d455d1e3af52f7ef392b07bd649773b11fdceecd54c8bc8abdc090bcbabd57a53adbff5596644d2443c2d9b43cbeec5a38867d4fcdcc6108bf4dd23a
SSDEEP

1536:P6D/S6bU7Ly/8wFh79L7f0engB5SJRQHK1P+ATT:P6/SwU7LykzlSe6P+A3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a00bfac83a86664b3be15bbc9df4be70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe

Executes dropped EXE 64 IoCs

pid	Process
1804	Ecbenm32.exe
3548	Ejlmkgkl.exe
4004	Emjjgbjp.exe
1320	Eoifcnid.exe
4820	Fbgbpihg.exe
3792	Ffbnph32.exe
756	Fmmfmbhn.exe
2844	Fokbim32.exe
4392	Fjqgff32.exe
1572	Fqkocpod.exe
3264	Fcikolnh.exe
1584	Fifdgblo.exe
4020	Fopldmcl.exe
1844	Fihqmb32.exe
1688	Fobiilai.exe
4100	Fbqefhpm.exe
3148	Fjhmgeao.exe
2928	Fqaeco32.exe
2676	Gbcakg32.exe
3208	Gjjjle32.exe
4668	Gmhfhp32.exe
5032	Gcbnejem.exe
3880	Gfqjafdq.exe
4996	Gjlfbd32.exe
452	Gmkbnp32.exe
448	Gcekkjcj.exe
3648	Gjocgdkg.exe
4860	Gmmocpjk.exe
1152	Gpklpkio.exe
2412	Gbjhlfhb.exe
3716	Gfedle32.exe
4288	Gidphq32.exe
4468	Gqkhjn32.exe
4420	Gbldaffp.exe
2840	Gifmnpnl.exe
1792	Gppekj32.exe
4540	Hboagf32.exe
1424	Hihicplj.exe
1284	Hbanme32.exe
512	Hikfip32.exe
5100	Habnjm32.exe
5040	Hcqjfh32.exe
4680	Hfofbd32.exe
212	Hmioonpn.exe
3180	Hpgkkioa.exe
1612	Hbeghene.exe
2460	Hmklen32.exe
2216	Hpihai32.exe
4924	Hcedaheh.exe
3952	Hfcpncdk.exe
2268	Hjolnb32.exe
3776	Hmmhjm32.exe
2824	Icgqggce.exe
3420	Iffmccbi.exe
3448	Iidipnal.exe
2320	Iakaql32.exe
2416	Ifhiib32.exe
2880	Iiffen32.exe
4612	Ipqnahgf.exe
4576	Icljbg32.exe
3112	Ijfboafl.exe
396	Imdnklfp.exe
4872	Ipckgh32.exe
4740	Ifmcdblq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Oijnep32.dll	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gfedle32.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Fagmapfi.dll	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7068	6980	WerFault.exe	247

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqaeco32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1804	968	a00bfac83a86664b3be15bbc9df4be70_NeikiAnalytics.exe	82
PID 968 wrote to memory of 1804	968	a00bfac83a86664b3be15bbc9df4be70_NeikiAnalytics.exe	82
PID 968 wrote to memory of 1804	968	a00bfac83a86664b3be15bbc9df4be70_NeikiAnalytics.exe	82
PID 1804 wrote to memory of 3548	1804	Ecbenm32.exe	83
PID 1804 wrote to memory of 3548	1804	Ecbenm32.exe	83
PID 1804 wrote to memory of 3548	1804	Ecbenm32.exe	83
PID 3548 wrote to memory of 4004	3548	Ejlmkgkl.exe	84
PID 3548 wrote to memory of 4004	3548	Ejlmkgkl.exe	84
PID 3548 wrote to memory of 4004	3548	Ejlmkgkl.exe	84
PID 4004 wrote to memory of 1320	4004	Emjjgbjp.exe	85
PID 4004 wrote to memory of 1320	4004	Emjjgbjp.exe	85
PID 4004 wrote to memory of 1320	4004	Emjjgbjp.exe	85
PID 1320 wrote to memory of 4820	1320	Eoifcnid.exe	86
PID 1320 wrote to memory of 4820	1320	Eoifcnid.exe	86
PID 1320 wrote to memory of 4820	1320	Eoifcnid.exe	86
PID 4820 wrote to memory of 3792	4820	Fbgbpihg.exe	87
PID 4820 wrote to memory of 3792	4820	Fbgbpihg.exe	87
PID 4820 wrote to memory of 3792	4820	Fbgbpihg.exe	87
PID 3792 wrote to memory of 756	3792	Ffbnph32.exe	88
PID 3792 wrote to memory of 756	3792	Ffbnph32.exe	88
PID 3792 wrote to memory of 756	3792	Ffbnph32.exe	88
PID 756 wrote to memory of 2844	756	Fmmfmbhn.exe	89
PID 756 wrote to memory of 2844	756	Fmmfmbhn.exe	89
PID 756 wrote to memory of 2844	756	Fmmfmbhn.exe	89
PID 2844 wrote to memory of 4392	2844	Fokbim32.exe	90
PID 2844 wrote to memory of 4392	2844	Fokbim32.exe	90
PID 2844 wrote to memory of 4392	2844	Fokbim32.exe	90
PID 4392 wrote to memory of 1572	4392	Fjqgff32.exe	91
PID 4392 wrote to memory of 1572	4392	Fjqgff32.exe	91
PID 4392 wrote to memory of 1572	4392	Fjqgff32.exe	91
PID 1572 wrote to memory of 3264	1572	Fqkocpod.exe	92
PID 1572 wrote to memory of 3264	1572	Fqkocpod.exe	92
PID 1572 wrote to memory of 3264	1572	Fqkocpod.exe	92
PID 3264 wrote to memory of 1584	3264	Fcikolnh.exe	93
PID 3264 wrote to memory of 1584	3264	Fcikolnh.exe	93
PID 3264 wrote to memory of 1584	3264	Fcikolnh.exe	93
PID 1584 wrote to memory of 4020	1584	Fifdgblo.exe	94
PID 1584 wrote to memory of 4020	1584	Fifdgblo.exe	94
PID 1584 wrote to memory of 4020	1584	Fifdgblo.exe	94
PID 4020 wrote to memory of 1844	4020	Fopldmcl.exe	95
PID 4020 wrote to memory of 1844	4020	Fopldmcl.exe	95
PID 4020 wrote to memory of 1844	4020	Fopldmcl.exe	95
PID 1844 wrote to memory of 1688	1844	Fihqmb32.exe	96
PID 1844 wrote to memory of 1688	1844	Fihqmb32.exe	96
PID 1844 wrote to memory of 1688	1844	Fihqmb32.exe	96
PID 1688 wrote to memory of 4100	1688	Fobiilai.exe	97
PID 1688 wrote to memory of 4100	1688	Fobiilai.exe	97
PID 1688 wrote to memory of 4100	1688	Fobiilai.exe	97
PID 4100 wrote to memory of 3148	4100	Fbqefhpm.exe	98
PID 4100 wrote to memory of 3148	4100	Fbqefhpm.exe	98
PID 4100 wrote to memory of 3148	4100	Fbqefhpm.exe	98
PID 3148 wrote to memory of 2928	3148	Fjhmgeao.exe	99
PID 3148 wrote to memory of 2928	3148	Fjhmgeao.exe	99
PID 3148 wrote to memory of 2928	3148	Fjhmgeao.exe	99
PID 2928 wrote to memory of 2676	2928	Fqaeco32.exe	100
PID 2928 wrote to memory of 2676	2928	Fqaeco32.exe	100
PID 2928 wrote to memory of 2676	2928	Fqaeco32.exe	100
PID 2676 wrote to memory of 3208	2676	Gbcakg32.exe	101
PID 2676 wrote to memory of 3208	2676	Gbcakg32.exe	101
PID 2676 wrote to memory of 3208	2676	Gbcakg32.exe	101
PID 3208 wrote to memory of 4668	3208	Gjjjle32.exe	102
PID 3208 wrote to memory of 4668	3208	Gjjjle32.exe	102
PID 3208 wrote to memory of 4668	3208	Gjjjle32.exe	102
PID 4668 wrote to memory of 5032	4668	Gmhfhp32.exe	103

C:\Users\Admin\AppData\Local\Temp\a00bfac83a86664b3be15bbc9df4be70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a00bfac83a86664b3be15bbc9df4be70_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\Ecbenm32.exe
  C:\Windows\system32\Ecbenm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\Ejlmkgkl.exe
    C:\Windows\system32\Ejlmkgkl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\SysWOW64\Emjjgbjp.exe
      C:\Windows\system32\Emjjgbjp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        28⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        41⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        44⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        45⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        48⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        50⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        54⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        57⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        58⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        62⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3872
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        68⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        69⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        70⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4480
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2464
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        74⤵
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1420
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        77⤵
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        78⤵
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        79⤵
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        81⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        82⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        84⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        85⤵
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        86⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        87⤵
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4956
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        89⤵
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        90⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        91⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        92⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        93⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        94⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        97⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        98⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        101⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        105⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        107⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        108⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        110⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        113⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        115⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        117⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        118⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        120⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        122⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        123⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        124⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        125⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        126⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        127⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        128⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        129⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        135⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        136⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        137⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        138⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        141⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        142⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        145⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        146⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        148⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        149⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        152⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        154⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6752
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        156⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        160⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 420
        161⤵
        Program crash
        
        PID:7068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6980 -ip 6980
1⤵
PID:7044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bppheeep.dll

Filesize
7KB

MD5
05edbb8a70be7e552ab09856b0f92d9c

SHA1
0353057a511451990bd7f5136531ad9d9b6563a4

SHA256
0293f9d4742b72ebf5fa3dec00d1abcb09333927f5481a8a835e6c6b11393a4b

SHA512
5f43a74b2bec35a97e448e4a8ff1eeced57ce26a58876bdddcaf067810dc322e9990eface3d65d8e499c91a522621d87a40746ebb79e88c7c7e5970b2c1a9c5b

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
71KB

MD5
fa3eef0a39ed15b32cc0760849a7f0ec

SHA1
a38323024cac14c08b7dfff90bf64d18cbe4a954

SHA256
3087eb31b2ce046c4f1e99aeadc0d00fa3191a4395639114dd2ed7f182091058

SHA512
1dceee1531c3d458849fd9798eedf8eea750e9d4ac67700aaf31006c5ef66cb604e1cc04da6997498dcf31ea1e779117a76230f4e69a465f6faaa4b5eb511044

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
71KB

MD5
f61c575e80ee040e352b5cbb872434fc

SHA1
56dcf8a91b4715621886d3ba73c03cd34bd9217e

SHA256
5c76c599bb831c06950ca520a0fc2b924001fc7b56dae177384fa6bdb7e8b4c2

SHA512
13d50c1a62c69b5d90d2fb4e19ec2df1827ca4be76d19a63a200fd6fd2c6ca0a80da81773b8eab8d849ccfda324391baf5d25301f0a9b7e6687b659bd4b175e3

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
71KB

MD5
52f4313f1c7228607ee8afd344f1bf1d

SHA1
fbc543466cdf29479d875fc207238e3bb8267855

SHA256
acdbfdac7c27dd772c3dce07378a89eb02b6b3824a552022f9e1f3117367d6dc

SHA512
e25cb4ac45a337861165bc1dc649eb5e9956d6e7dc5cbd96aa9b25ae591687f7b2d0b8787461e4eacd76f7adcf0a682a20a5207c998d65685fb2c845b46ab017

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
71KB

MD5
e90bd074a34e3ec591eff51b188d3c64

SHA1
8e5936ffac06e07c768379f566729265ed3eb878

SHA256
dff131ed00d9128a209a8fd2a24125b317aa0b461ba243c93390f8c145604ab5

SHA512
c8b1a72fce0520395be8ae74b59e241f3767923e687a851b1eb0377b9d916fe0f34f29051eb9e6a6c886d0cf91fed6e7a8c76d49f808bfb315f69e98ff63e9e8

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
71KB

MD5
af4d0b2d3dc7509266e252753fa311b2

SHA1
0ae426d8516c2cff1356a0f30349a1a18556b5a6

SHA256
328fb533b59a2d5f67df6f1bea19d2b4bc81f29a151ded899113f460a24bbd8b

SHA512
e9ffaa92b6fe9b0e513e6359e27be40e7039650d2f075603e9cc76b329f85a37f0efe72f439345beda9966e0bb0461a786d41ed3e4958ef5984879bd62fc39a7

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
71KB

MD5
7e17b50f9e313ed167d178562bf01733

SHA1
f74627d94378d4acdd1c6a831eccb05c31e1c513

SHA256
a9ce5861f2932e83c61881ed71c9b4e98727917f630a9a899ceab71a81e49a0f

SHA512
89fb9a2ba4876f98b7747de4846880932bc3507e7887577c7f82a4d26c4c3799b4a738e8d0c90e045c6f8c2800a204a23b3398f98c15bb1e4115727be8bdff80

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
71KB

MD5
3239af5cd64854f24faa69e770c60809

SHA1
6dd809c1b59cf6381d4289af83c55320ade3e500

SHA256
fe93d999b47d22a53535d37473a9451ba24c39d4f8d3a052faa7dfb5801fea28

SHA512
fc735c4b90a44e6ee2f384df309a4ba37ff04f8b3fa7e3faadb4acc02086c1e9c3ff8bf89ae2813605b042def007ae45950e3092fb6b43c52244243a90c8704d

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
71KB

MD5
70feef38d2113c54521150354803225b

SHA1
5b42f1006f95f2ede0c5fcc21fdf1b0c443997b7

SHA256
036231500bc07b2d57010ee75cc650da6df52545cdda402714da9edfe7181aa4

SHA512
ae3a4b9231c15b24e8b684731d48b97b71586c1f85fd36380eba7042333e533f4a8c0aa99a5e69b8399615f88a9cce5b0c03a36a903d219692fc5f1fc61ff3d3

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
71KB

MD5
6e866d21541958a84cdbac82a0faa22f

SHA1
853888b01c80f3e7b79cd6495e21687d6f6df719

SHA256
ad36c319d6e520f0f13f006f8c47705f4a89e347b51b9730960068a22453e644

SHA512
ea562ff397a831d179ed5633f86a3f554b836c693972c0397d9a07553172b4f43fd3747fc42142a6b51dd2d9634dc7c49d84f8d587d26640d36935b27c32a56b

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
71KB

MD5
da0ca2aa952772c61b03352fe2ae40d9

SHA1
e2696a486230e8f0ff886ed231d5484c02a2c1f0

SHA256
389727d0f547d74bcabbe9a32974b47949660d04a7ad4e98c19b81ffbee8bc0a

SHA512
deaa6e049ef7b9bcdff2f48f4cad2212c2d2901d5326656870b29b110278104fa55ea87c3426636777989b2493912b74c71f08b9c0996638a0e2d7f057683f62

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
71KB

MD5
b6251dd0898a581639a0630942e18123

SHA1
f556677c808a936af8be6842177bfce27af9eef3

SHA256
7be03ccdb165b59d25a576fc612e390bf0ed0213269259899fcefe1242cf2c1f

SHA512
90aab19d883107740fd06a8cbb25643c3ef13269390143553ddb5e98766188c6e686551fd96420b8d459fcd170c64f7f5512505db8b4ddc84c061051d417077d

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
71KB

MD5
831ba25394cace7bb71f899315508bd9

SHA1
d96bbbd9f5d687b55ec14f108b743bf0865f3e95

SHA256
5768db60deb4602d5a781c74984f7e2bf2bc0648b81f00ff9f35cf2ee7150838

SHA512
dcd91f74e067729a7514e822cd5f0f0309edd866e936ea062435b8a8d62b4153a3b9fbe99e8a0fbc5d006cba752839472e92b8a365c67b06ccf185fd9648e3a8

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
71KB

MD5
402a953b4e291fa0cceb6458270ac2db

SHA1
a30fa86f110a1f6a27c7c200917cfafbca2e0383

SHA256
aa77ca68fa00e3affd53bb1754ba155d9b885155d2bd338bacf4627416c7bcb2

SHA512
f8bc7dfdb00e6ab44d03b7347247c806a6ca8d7378bf8a790a72fadc6bfd8d00a72886fdf5c54d8b8d50efcce06464298a02fef2cca9a6c56ab568a6eee58805

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
71KB

MD5
4d219ca1b6b59230369bcdd88eb8c09a

SHA1
0d37b58cdc2af7edd3dc476c27cf38822308a091

SHA256
4224473d19185a83d7da85a3e19f9b10431b4bcad4aab2269211b281a3c6b830

SHA512
1232d8d4bfc46126807ed0054866933b962b35f6788d91b77bd753797f9baeb9f2cfc0cc6ead4881fa87c60ee0ff1102bdc820650ff4d06589a36e3ff23e97f6

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
71KB

MD5
0ae49243b04a7e0c21489a1e08bcbb35

SHA1
03af773923425a2bdeb3482c7aa685d427573361

SHA256
497624dad4aac5f0de9b9e044aa94f674de7c43c09a90f14fc17c5c7ee4257bc

SHA512
84d8ae2d6f2b4d9f3d496bbf715e0ee73db27c5d7f749bfc8e5dc7fa3c9b2406166a562b707ae25db0872c9123e9db0b824d15199524890d2c4f6fa90f68d9ea

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
71KB

MD5
e1311b6efe9767dabbdf446ad76968bc

SHA1
b5b913caef47a1845d7161935386051e0a75ec44

SHA256
b7ef3d12f884a7e3233312662d11d2dc85bbbbaf0d01982872a160e0eb9585fc

SHA512
669fbe6106fd50cf9cd9057f39ddbc9398ba4c19138164794e638a39b52325b1c6d5c7e73886379241a04f89ac224b260157189c43eaa39a4fd6b4c5000b3954

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
71KB

MD5
b4be610ec78b2967929701617b1e4cbb

SHA1
5dfa013beed5000b7a3420e3b7992fa293ca3796

SHA256
7eae3856dcfc8ef92d3a78462d8f570193ab10298937df54eaf2f6ffdfcc4a1d

SHA512
ac61ba90f5fbe2559f03448212706b5ff4187c7d80319a134d0d8bb3f2594469ede5e45349532b9fec06ad58d05ba1cb6364d70f03338b02b7f17aeac4663f3b

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
71KB

MD5
236069eac5f835a64671c2457c6f9f89

SHA1
6feeed3d131f46674650d1e46f28b1e53ff98681

SHA256
dfb33778ebbbdffb77cfcab974b76a241bc2d0755decc9b4ea4d6892f665a54d

SHA512
6e880cbfdaee58f0f700425c9872c0c1fd2d5308f263e4f04a8a96adfc95d5f76aedbb88adad35ba379c0f269f7e98aaa330b708d00ed990bfe95043835c7d51

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
71KB

MD5
d8e760e12168265bfca902315384bd9c

SHA1
4b7fa0a65ff7ed2a2652c3b4b8d528a1ee2cb795

SHA256
eb1c09dea9dd6fc71e7f663c52bf7f809c1d4a41010000610debda3f86e87c77

SHA512
87fe3c05e4f8cf3f35058cc160e967a816c548949837978df0cc5c45668b63dc146772d52b171857e59b0b1bfe1143dabaa5f95e6fadb9091115b3c15cfd1965

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
71KB

MD5
cc6cfe3fdb2a9cf55df8a5e094e5890d

SHA1
02c06ec9220f6b9283cbaad41a76b9682596abec

SHA256
df6e41d62d590ec5a086ce889b69de7faa8c15feb19d5cb19f77ea3c5699cc06

SHA512
d9e91c6df34701651e9a7d6c5707f4b747d677d19523e9f82b0e9f3489130baa4b545bae703a60b9432bb80c65a8fc181b77cc42e12930742b5e811b666bac36

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
71KB

MD5
42ed54bb57795259bd6b6a22493538c7

SHA1
2b44e8bb8a39af07661127d1bfbf4a16971968a3

SHA256
82154c1983e7b470006c9f7b959ae309e9158d8d64ab0174b5af4f7af58b8089

SHA512
e9b305d51519c03d99b30539fc7f765c3e2c816ba335553a992b8a2a7a54d843f4358546202c50a12b5a5c3e5c4dfa0f5810f20d9f31012c2fe6b61714bc3efa

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
71KB

MD5
f102b4ec1339831b66514ecf3290dba5

SHA1
8123eca16112609e2f063aed95088aee112a6019

SHA256
f372214c2b933b25e3111b5c331314a71835b3921aab48fbc6f7467fc35b93b8

SHA512
60a63b1f9def680ad68781077e498c655695df885d8127c6cdad6c8107303041839c753565a74bfd78c16c10b5bd19240e13bb9d59c37dbd48e36b8b5d2af23d

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
71KB

MD5
270e373d3bd45702a66002c9d1486499

SHA1
4861465b625d6df6bae0984c52f34b000426c586

SHA256
c3db3fe231df8f6a2da8437532e00c44c42f2e5b6e986d75c45eef74e1f5c285

SHA512
2ff091d650e0bcbe67c7f2e9874315f2fd6b8934385a652a188d01f0e7463991e3e67d29d8888d6709350960a09623a899dcb4f75d392903c3a3dbb2c2986945

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
71KB

MD5
285374c8a288e22789f813c3e9d91ef1

SHA1
58afb8c08d137dd22584c300a2dc16fc69832f01

SHA256
ac330c3e5fcc1967aa4c02533966e71a7d7e677e41073c26e7416dc5e0cf6fab

SHA512
f59aa3c70de98a093da6a9c5347da80a1f6709d589b111bd0c6224b80731b009436d5c62051e4ba189fdf2cfb0ec5eb806e4d1ca147940b74e7d8350ad182d72

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
71KB

MD5
4bffbb65893f66b0b3fa26bab8c9a9b9

SHA1
2adf0c67965036532dbd2dfc1c17abd67382871d

SHA256
865db8ca46935a8b89430d0a41c88964d185002e04c424572229cb7547df9621

SHA512
7ebf46f7b34d70f40d167ce2f035587a84d6827bd8c631184e6886a7aba606d2bfc22ae36aff90ca5c855e3cb5af1ef7cb099a6dfae9e4ac24ec11d652618729

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
71KB

MD5
b1d2de762c51f03fac5b8ded47233968

SHA1
033bc79a0786bf3c3ffa18805d782333cfa39a38

SHA256
1116e83d94d94cdf229a49e1ba2056814cf97942856653eb451ba687c8e9f192

SHA512
cd4f20626ac3402d62f3143464866f85cf3e183cdec007488040ff03b9225ff6d002defe375dc2dd20f326bf73d40b8cee8c4cd4129d2a533799ae0b1b65ada2

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
71KB

MD5
2638d902aad0113d7f6df6a59098ec96

SHA1
e2407bf85487fc4ff936c45ee28ecaea9782e2e8

SHA256
adbaa4e4f767acc558c4276e46a9895f4f28df6273e7e712547e7d8f9d4c4def

SHA512
36e9e59b2d59e1ac00755e79cab3c1762594ed290d7af1c95a113ef5639882d8701ef00f0ac0a70341c99ba83d94de85654cb74b86daecf184279facb164a3d8

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
71KB

MD5
0475a3918d05da75d70f0d18b41f4b61

SHA1
103934ebfda684e411ff76fa0d6e3d9eaaecf39c

SHA256
5923968a35520f5988969bfac378d198a53596593c8fd767dde084c4f1057b96

SHA512
40f84a7d1c4903e3d76547a0741c27843456441e0c2e5eabcf46f204f2a6f12b6a1d27f56088d9bcbf8f19ad625d07d7e49313940049add9fca4e282a67c53c2

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
71KB

MD5
d4a2c9d3ddafab68abaaa471072d5b60

SHA1
f187978782c8b17e0174fb38c8c3a9847e606814

SHA256
236967cba210e7ebcbd8c2954cf701d5d840c0f2410801106c0d7d5289499912

SHA512
5170e8600a6aed89668ef52cf85d9372c7105a911d36c28afb9fd2b5bb5f806849bccb98b5397400ccfd32022ac7cddbbb9f66d3b0a9f03ef825008df175980a

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
71KB

MD5
34b599eb4e6da0596e8b42755beeab02

SHA1
f7a6197261faa25a89c48b51a5868799c7fef980

SHA256
bfb508d2fff5dd2fe4ebee6ed4cd0dc04763fbb1ad5a742eb651bc902a73337b

SHA512
6e2e8bcbb41765fb34817990e1cf4b9c8335ed2f0ff4d3238d1211b5913722e3b1febc409bf636c7ab46d7009041da382a0996f912860181af343d21482d4cef

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
71KB

MD5
87dba7378c14129d4e0813e5eeaff617

SHA1
ade36d4464273fc73cdd71db70d81ea0433f786d

SHA256
0fc65aa3c74f6f0eb2dd6f97a7b74f15f0d746d41ad1230eba0381bb8725076c

SHA512
4050980daf6170beca6667e45f5aef2dc0eb92d44a745988fa1f5948135bc9f89760ed4afa3c5b192e43d132007f5710bee93530d9f6fd0d54554177ee5643a2

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
71KB

MD5
a86b8fb49ed3ecd029e82cf1ef03ea71

SHA1
f6569c8c9fa1a1e5cb2111589454de446d0ce5ac

SHA256
703769775f51f2e3a441249f07a68675301e667f6a68c5291c95c58202bed7fc

SHA512
c109423fa602bada2094af8ca6d24dcda2f03c62b6461d7582423d5526d8796fcebc71787c247e67e8af38a1bda820d2b3c74ad71d13c8937b6f2f900b90739c

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
71KB

MD5
8e7be610a0895b8c9f6256d424307927

SHA1
7c617f2b8dd1aa3f0947ed011ff370ce4586da21

SHA256
1b1e36503775258159dc3143f346369841d8cf5308a5038a78edb28639665ec8

SHA512
ba22eea0e68325fd77e98d4439aa2e81c5b3bf47da1a71a59e8506a647ace8760c623a00f905a9b745aa32b8d4a10b17c096efc9a32d70012f81ef4ef4d21232

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
71KB

MD5
6d6ab69b71404d68f09c5c5b69a0173b

SHA1
f2bb042aca4a14ec5ce3937af4ad0faa560f1be0

SHA256
d6d6d49baa55a3ba87430b19fe11bd9bb91c730fb6ca8361cf1c998840cf46e7

SHA512
24b72076f12fd192d0d5f6e71d234a415ab5bbc0d77e68ca8c2592089cce8527644e03b7210645669b03795ac2d7bf283a8f3cfed19554aab9d3bb1b1eb56450

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
71KB

MD5
1be5ff176fd6384afc8ec2f272b5f1b5

SHA1
ff498b99e3a527c37e43778f56448392d37abfa6

SHA256
0bf89a974f789afe61df91b3e7d2abbd47e36733e5daf58afce2f06014154325

SHA512
41b9c49435d86561be452fca09342d9ded6b2890ddfbd982254f0a24e830a03eb5bac4c0b44a33b35f283fdbc559511afa57916572879a220c29e3bc8db0d91c

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
71KB

MD5
e19be4706d8d7222e7c805f1bfa4e3fe

SHA1
d4c40eeea92854a8b60ffa33126a026bb32b0fd3

SHA256
bd391c183f7af26350a92f9ed9a033aeb99c88b5dba4215b033119b6dc72790f

SHA512
5c6af07679b51aa16bba40b728ced1945d5e1aaf7a94c40de7ba1dfe2bd0c73c892e23543f3ee6dccd5dac49fcd1c67d20333bc9d286177fccb583377f3337b1

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
71KB

MD5
56328785a81ec3f74e41ce846ada6e58

SHA1
251767f773139dac3b70b8934f1930017e669abc

SHA256
4b9fbc488e45c7ddb6ff3f4c275020cdd9351ddea0f1f0bf52163e5518b51248

SHA512
348b9dbdce531c81177aacd1388d64a80dfc8d8852c62993a3a5965abdd51a44915b05601e056192de34f3827b216190210dda11b90a3b89060555b9b9532c5e

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
71KB

MD5
c50626bc44907e556336e3768447404a

SHA1
e276e2f2931c7d5c6b98e4879fef6088cd76c0eb

SHA256
d5823e8310841be9988aa972cd7cf840f12711dcdb1515974e20c455a6f8ec49

SHA512
c4dc2656f612cba6d5eb3d5699ad1d32a320155dad8a5ca1df6c3473698a5718c95da8517ff1078176bba0080a742d6758ed38d7df0fc094a2996ed97d9a008f

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
71KB

MD5
3faab93b62c52b1889ba92a7f6c5aba2

SHA1
985d86c34e11826d3ac5b1e8875b777c5ff88ae6

SHA256
78837e87d2a2834596639f638b4ee691addbdd9d0334c6d5b4ea8c544ee00bdd

SHA512
16cf1f679651d2addc4bd1519cb0d89662e8674879128f31e66ced2e9cc59933dcfe084daa8b25fbee8d090ea006546cb9c51d31bbe45db6961aa65b4d5e8709

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
71KB

MD5
cb440e0311d5ddf48cf0c193c0f181bb

SHA1
508df89382ebdbc01cd9fb35d7254d1c50edddfc

SHA256
ff1e00aa2a4ea9e851af24582b2fb1e6f684ff4503d3f1f53b9532a65b210ce7

SHA512
9bd56ff86038ce01245ea2bd1faa85a16a8202379b2896280575ddd76f7295858c89d7092474521662bf4f95ecc546a1c903ffd0fdcefe29e29e3f6d51047eaf

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
71KB

MD5
f08d3b0a89fef2c704c9737ca1c8c23d

SHA1
676dd959851afc9b29f2eb03bf54fe0a5b35eaf0

SHA256
0704436fa2cf982c6e0254a31f203f463a6f3eb6c667138276e979df8fd2e74b

SHA512
ee4df90f0f559ae4c35da4950c9409c6a150595222a24d3c216c97a35dbb1da9070ca5e18a86c274d8b91b748e1c14839d61042a999aa40b6918f219afa5fcb7

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
71KB

MD5
a155f77bb39f4b30e5d4e37ad5658cd7

SHA1
babd3f7d0daebc40d545a6739f9c00e0ee1bad47

SHA256
64c6d574efddc4a268a5b1bbe3f0129e5daead65ad0329f624ab463a8efe20f9

SHA512
2171bf89e0c921704d202d28f3531a16600831959ba6df30947fa9e0c0396ebef38b08bc383920aaf75ed697ad338e6555f738e12681cfb35d92c06b861fa8c2

Download Submit
memory/212-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5660-1135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6088-1141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6796-1086-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads