45c03bedc7c35ec66fa32fd027966e553053250dd1bdf174d232d549b339d0cc

Analysis

max time kernel
140s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe
Size

265KB
MD5

ae4346495dd8e9112dbac652e5c04ef0
SHA1

b19e20d587477c6c6e27bf1fe85bf74dccb3d561
SHA256

45c03bedc7c35ec66fa32fd027966e553053250dd1bdf174d232d549b339d0cc
SHA512

bd96368e3acd54e7930f73397375f95a854be98d07cbec6cf32e4a43b4c07b91cd4891fce9883f8baeedf0eb8e33a19acefd3b7dee45e844d1f824011c215470
SSDEEP

6144:/v5NoRTTLp103ETiZ0moGP/2dga1mcyw7I:/v5apScXwuR1mK7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe

Executes dropped EXE 64 IoCs

pid	Process
3496	Fmmfmbhn.exe
532	Fcgoilpj.exe
3248	Fbioei32.exe
3484	Fjqgff32.exe
4820	Ficgacna.exe
1940	Fmocba32.exe
4492	Fomonm32.exe
3388	Fcikolnh.exe
4044	Fbllkh32.exe
396	Fjcclf32.exe
4448	Fifdgblo.exe
4612	Fqmlhpla.exe
1456	Fopldmcl.exe
5032	Fckhdk32.exe
4992	Fbnhphbp.exe
5108	Ffjdqg32.exe
3916	Fihqmb32.exe
2764	Fmclmabe.exe
4408	Fqohnp32.exe
644	Fcnejk32.exe
4652	Fbqefhpm.exe
700	Fflaff32.exe
2220	Fjhmgeao.exe
4816	Fijmbb32.exe
5004	Fqaeco32.exe
1960	Fodeolof.exe
3104	Gcpapkgp.exe
4596	Gbcakg32.exe
3268	Gjjjle32.exe
2120	Gimjhafg.exe
4028	Gqdbiofi.exe
4812	Gogbdl32.exe
2024	Gbenqg32.exe
3176	Gfqjafdq.exe
1176	Gjlfbd32.exe
3092	Gmkbnp32.exe
3748	Gqfooodg.exe
4632	Goiojk32.exe
4300	Gbgkfg32.exe
2644	Gfcgge32.exe
3752	Gjocgdkg.exe
4092	Giacca32.exe
2224	Gqikdn32.exe
2812	Gpklpkio.exe
2672	Gcggpj32.exe
3368	Gfedle32.exe
3544	Gpnhekgl.exe
2228	Gbldaffp.exe
324	Gjclbc32.exe
3772	Gppekj32.exe
4660	Hboagf32.exe
3432	Hjfihc32.exe
3644	Hapaemll.exe
2640	Hfljmdjc.exe
5084	Himcoo32.exe
4724	Hadkpm32.exe
432	Hbeghene.exe
4672	Hjmoibog.exe
4500	Haggelfd.exe
3520	Hbhdmd32.exe
2196	Hibljoco.exe
3708	Ipldfi32.exe
4588	Icgqggce.exe
5048	Iffmccbi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lilanioo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6468	6252	WerFault.exe	242

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3496	2808	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe	82
PID 2808 wrote to memory of 3496	2808	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe	82
PID 2808 wrote to memory of 3496	2808	ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe	82
PID 3496 wrote to memory of 532	3496	Fmmfmbhn.exe	83
PID 3496 wrote to memory of 532	3496	Fmmfmbhn.exe	83
PID 3496 wrote to memory of 532	3496	Fmmfmbhn.exe	83
PID 532 wrote to memory of 3248	532	Fcgoilpj.exe	84
PID 532 wrote to memory of 3248	532	Fcgoilpj.exe	84
PID 532 wrote to memory of 3248	532	Fcgoilpj.exe	84
PID 3248 wrote to memory of 3484	3248	Fbioei32.exe	85
PID 3248 wrote to memory of 3484	3248	Fbioei32.exe	85
PID 3248 wrote to memory of 3484	3248	Fbioei32.exe	85
PID 3484 wrote to memory of 4820	3484	Fjqgff32.exe	86
PID 3484 wrote to memory of 4820	3484	Fjqgff32.exe	86
PID 3484 wrote to memory of 4820	3484	Fjqgff32.exe	86
PID 4820 wrote to memory of 1940	4820	Ficgacna.exe	87
PID 4820 wrote to memory of 1940	4820	Ficgacna.exe	87
PID 4820 wrote to memory of 1940	4820	Ficgacna.exe	87
PID 1940 wrote to memory of 4492	1940	Fmocba32.exe	88
PID 1940 wrote to memory of 4492	1940	Fmocba32.exe	88
PID 1940 wrote to memory of 4492	1940	Fmocba32.exe	88
PID 4492 wrote to memory of 3388	4492	Fomonm32.exe	89
PID 4492 wrote to memory of 3388	4492	Fomonm32.exe	89
PID 4492 wrote to memory of 3388	4492	Fomonm32.exe	89
PID 3388 wrote to memory of 4044	3388	Fcikolnh.exe	90
PID 3388 wrote to memory of 4044	3388	Fcikolnh.exe	90
PID 3388 wrote to memory of 4044	3388	Fcikolnh.exe	90
PID 4044 wrote to memory of 396	4044	Fbllkh32.exe	91
PID 4044 wrote to memory of 396	4044	Fbllkh32.exe	91
PID 4044 wrote to memory of 396	4044	Fbllkh32.exe	91
PID 396 wrote to memory of 4448	396	Fjcclf32.exe	92
PID 396 wrote to memory of 4448	396	Fjcclf32.exe	92
PID 396 wrote to memory of 4448	396	Fjcclf32.exe	92
PID 4448 wrote to memory of 4612	4448	Fifdgblo.exe	93
PID 4448 wrote to memory of 4612	4448	Fifdgblo.exe	93
PID 4448 wrote to memory of 4612	4448	Fifdgblo.exe	93
PID 4612 wrote to memory of 1456	4612	Fqmlhpla.exe	94
PID 4612 wrote to memory of 1456	4612	Fqmlhpla.exe	94
PID 4612 wrote to memory of 1456	4612	Fqmlhpla.exe	94
PID 1456 wrote to memory of 5032	1456	Fopldmcl.exe	95
PID 1456 wrote to memory of 5032	1456	Fopldmcl.exe	95
PID 1456 wrote to memory of 5032	1456	Fopldmcl.exe	95
PID 5032 wrote to memory of 4992	5032	Fckhdk32.exe	96
PID 5032 wrote to memory of 4992	5032	Fckhdk32.exe	96
PID 5032 wrote to memory of 4992	5032	Fckhdk32.exe	96
PID 4992 wrote to memory of 5108	4992	Fbnhphbp.exe	97
PID 4992 wrote to memory of 5108	4992	Fbnhphbp.exe	97
PID 4992 wrote to memory of 5108	4992	Fbnhphbp.exe	97
PID 5108 wrote to memory of 3916	5108	Ffjdqg32.exe	98
PID 5108 wrote to memory of 3916	5108	Ffjdqg32.exe	98
PID 5108 wrote to memory of 3916	5108	Ffjdqg32.exe	98
PID 3916 wrote to memory of 2764	3916	Fihqmb32.exe	99
PID 3916 wrote to memory of 2764	3916	Fihqmb32.exe	99
PID 3916 wrote to memory of 2764	3916	Fihqmb32.exe	99
PID 2764 wrote to memory of 4408	2764	Fmclmabe.exe	100
PID 2764 wrote to memory of 4408	2764	Fmclmabe.exe	100
PID 2764 wrote to memory of 4408	2764	Fmclmabe.exe	100
PID 4408 wrote to memory of 644	4408	Fqohnp32.exe	101
PID 4408 wrote to memory of 644	4408	Fqohnp32.exe	101
PID 4408 wrote to memory of 644	4408	Fqohnp32.exe	101
PID 644 wrote to memory of 4652	644	Fcnejk32.exe	102
PID 644 wrote to memory of 4652	644	Fcnejk32.exe	102
PID 644 wrote to memory of 4652	644	Fcnejk32.exe	102
PID 4652 wrote to memory of 700	4652	Fbqefhpm.exe	103

C:\Users\Admin\AppData\Local\Temp\ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ae4346495dd8e9112dbac652e5c04ef0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Fmmfmbhn.exe
  C:\Windows\system32\Fmmfmbhn.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\Fcgoilpj.exe
    C:\Windows\system32\Fcgoilpj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\Fbioei32.exe
      C:\Windows\system32\Fbioei32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        32⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        35⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        44⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        45⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        46⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        47⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        49⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        55⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        57⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        59⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        66⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2768
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        69⤵
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        70⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        71⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        74⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        76⤵
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        77⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        79⤵
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        80⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        83⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        84⤵
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3320
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        88⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        89⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        90⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        91⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        92⤵
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        93⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4960
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        95⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        99⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        103⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        106⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        114⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        115⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        116⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        117⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        118⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        121⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        122⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        125⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        127⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        129⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        131⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        132⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        133⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        135⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        136⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        137⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        139⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        142⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        143⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        145⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        146⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        147⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        148⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        155⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        157⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 420
        158⤵
        Program crash
        
        PID:6468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6252 -ip 6252
1⤵
PID:6344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddhbep32.dll

Filesize
7KB

MD5
df1e32b877a04882d5950753161abc16

SHA1
5fc5c1f304dc2838bcb7c3a0162341f35fd13bde

SHA256
acd4455f725b9d1e391de69d19c3c5ee519189ec7e836d6ce9e461fda51a1896

SHA512
6de159d261ae31b8d4c1ac481d7010b26b8d5353286a293cee285afe43f6b7951f83877d25f40d499d0b9b736b7571584c5a629f310c16bd5bc7b79c113df056

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
265KB

MD5
7ae09ea8d7ce09f1e043062879c06131

SHA1
9113d366a730ba3da3644056be6b23c15be67168

SHA256
91c34d25575aceb802ff470e38c1a06b0e389643cbe6308f10a97c4f9e18e2f4

SHA512
1569ef248105e2be27a7d977afa5cd726898479deceed699862e9e93cc9f888a151c3fbbb06fb04b1acee410a3da6381e773345d23086935b64c1925316f35ec

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
265KB

MD5
21a064d8c3341e73684e31111f747d66

SHA1
de90775c29e925dac4e391bfc706a4bc115ede4c

SHA256
7f1e87d49140269b7eb1191195661b5997c031fc77e37f0f3d213c90a221a9e7

SHA512
c51ae0616ee435a33d13e5f982049befce79fd572c92d7e1b32cc70e34e676efb8217c8afe59fef4de2171cdba3011f74fc63f6b3433585ef63374f15f159b0f

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
265KB

MD5
994996ce42602d0af8c8a715ebb22820

SHA1
4d56581c2981aaa3235371db5ccf42150a92a0a3

SHA256
1d81893bdef8a858b62ab898b3fc6f07775ddf289ec1b689dc604b9e4ae322b4

SHA512
942ef4cb6fab9b860b855a6b66b274bca51d6d3dac58b0598aa9d5eace7e729ea425a4e1270f4954d4c7eb9f8d58ab1a1eefa47a75c173c67943b76bd8978535

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
265KB

MD5
4b13bf6b2a904ecbe3b73cb3c745022a

SHA1
5d69fbe8020bff2a95e4ca1eae67119f747b483c

SHA256
1865feac815e404f3684abef79423c45df8cdfc7c255644e67ed01d4b6c763f7

SHA512
823c682640738bbf973848bb3cc9df282fbdb97607e987c059432b65afc88dd2d9eab2e9ae40f77a68ebb65e2ab454c26a4d7ff5450c95a67c955c1929b11030

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
265KB

MD5
96a06b18954bfb15b16a00db219c09f9

SHA1
d72f1cd25ec3a41f5add517305324285279d0508

SHA256
810ecaf3e292fa1bedb2765f4f6a29c6a2dd848b293ed64b9fee967025fbee1c

SHA512
c4fdce56010ae8ec112aa3d67581e6e52f9b8391909b35c37c607ccb491e56655525021b5fd077b3a6e6fa3fa47d4adad9f927ab4f22fe55950cc6dd219cf3e0

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
265KB

MD5
babaa51004d2f10e002b3d4cf1835d28

SHA1
323f4120d78fd5fac410683b8cb8b80f4c637326

SHA256
d71146b26c6719dc9280560f2849669ea09731e61dbc2c66a7bf7322f1a2d70e

SHA512
783b36e835ada048e21fd0b911742a57bc3d34e5bc0d54cd3e8796efe85b198ebe58a77723dbd59f81d11c9a8ba2be31295f49bc784bb6d3a51863276489947c

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
265KB

MD5
6a5a20b0fcf450765b6510d511aae932

SHA1
660058a6ef5a3c1e7dde9163c5a4285d792f6c2b

SHA256
e12886dfb2a9feb2ead5d952095960a13e3ff5369acd6ae2cffc816d91b1273c

SHA512
b36acccfdbec361e7ace7a6cfde14860eaa45671e4c09112c9751d5ec9ba2b5eed38f0e523c2d002d4217e95e661cfc3fd8c6a3c886252f1ee063819750b2288

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
265KB

MD5
42425013d2357bb2e7b77fd731d30da4

SHA1
887d25ca19a781b856da334c81828a5acd8ee7fb

SHA256
35bc2d2c63eb3b0090ae92e812237f2284407e8f1d7ea4183fb844d3ca908a71

SHA512
07ee3f737f6fc3675916c8bacb356f614ace7714df426c03cd82a7f7d4c5846337a6b771a2309b164aa36c1564c7fca15987bc65c36130f0f053512fd64f2062

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
265KB

MD5
e546436a00457fa3ced4df397c6054c1

SHA1
c8ef2b0b4d27306518fca9f8462858d3459d929e

SHA256
a1fa50770b96d0ca4fb8ca47935cf133aabf605eefca0f68692e2ce2359cb7f0

SHA512
5a508f60a1bb1ce6263f21f217ae3ddde2b34a7b1ff9d680df5222c6be75796be32b615e623f2697f3611bea0e0c1291e32256dc259bfb52734b5ccc53602be0

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
265KB

MD5
a17cfa4cefe6306b69fd55fa7d07a5d2

SHA1
92b083da1fd27132f58b1a06c3e0b9f966d7b9f9

SHA256
c9648a016861900dd595ce86c43f5cffdaa14cd07f21c387868815b6f0910661

SHA512
0cf2be593bdbb48beaaff92f9d423b5fe1e9c652a20c4f0da223a7ab69bae6a1150bb7ebd1302d3b7cd06b232805597f2e087b47a9a5ffe5e9c7130c376611ff

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
265KB

MD5
5d448d59c8ba17a135ccd116893b8250

SHA1
3b578ad593874edfd29fb9af4a9bd91336e53ae3

SHA256
7c563df159c5600f8724d74d5386791397d8042752b27f3931af1a01a74ce5de

SHA512
fc05f657f8c201c9bada80357419bfdab6599e279e272d95be3d651a70daf0699399b49c97cfcfe492cef1df5457d3539388b88c7603c0505e68df6a0dae11a0

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
265KB

MD5
137237c803e5bf51ecc276564eccc982

SHA1
7b9433d122b584a01f5f95e3f96158dfeba4c171

SHA256
2ae4293966410d97434e53d8afb39bbeaee9a49b340364a2721f6ff03a30baff

SHA512
f5fd556f7a34299d9995e87e62b5d3685b239166e043f8fd43c5d8656855b96da99ad7812a9c960a6f8ad4ae43d2cd2cb2e550031d85e9ae79be8a382183b258

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
265KB

MD5
42e3a3f2ba34ee3378b6737da22c270c

SHA1
f27e4e0fa0e636179873ee9c0acfc81002cc38fa

SHA256
7e1dd4a8801e6d258f747c3a1c303cdfd38e47a6ba3c5e61b0f18dc159f51d74

SHA512
43b141b76d1e3b242e48dec4aada67a373775eed07cfac2be92ad27c67bfe57e186881d8bfc4f28f25088d758c828ff1a6032c5cf171ec76b38aad0bc9c63909

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
265KB

MD5
7acfd392579b543357f614dc8cc5bceb

SHA1
477e6746ccdd2688de58607dc20eab2b4920547a

SHA256
7dc8b4abda0c2450c128d0b82d19f6da8f4f2954472c0506bf5397981879442a

SHA512
56ff9a4006907e6d7839c40f3ab12bd353ac02dcef7901485735736691ea05591ba86b258fac4a7e06fe570630d4f46d835f5834970fd3ebef26e25818420c82

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
265KB

MD5
e807429685e1024aa9975d91fa59fa82

SHA1
f1d64fa1686e4a426841734f92959bf41f573b28

SHA256
83516f502dcc5100834a7d5cc346516f70b27ee739f684a3ce691d4ecaa1cf59

SHA512
f3e8aa39e847e2117fdeef6644e18d0af2bbce20ae1fcf064dd2fb0c7fda9a494c0b2b9f5b022346b93222d6b6fabbf3af8e589e67c410652c4c9d0a868e224f

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
265KB

MD5
b9afd3ea6918eb828762fed1bd58ba66

SHA1
bed001ae37414369eb8d4840efac578fd8791bd8

SHA256
dedbc2d7dd4545de45e38b73b1dc10f11550b9bd5e4b3bb9d46caac2e3c2476f

SHA512
df62f60f4bf5596254bbca909814db64cd5e7e9a0311abe22b5dd3ef82930b98b3e9b31a76299528198f73765c1527c0bedbedb737ef121da08efef5c76c218a

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
265KB

MD5
560e12bd41e9e3dd0bece92bd8eb0002

SHA1
b14c9311fafe1497a0750c45d1ff83bd082b90a7

SHA256
5b1c19c7f2df85bd98063af0b5ef11a14e3256262149ce82722a1a5c5e70de6b

SHA512
de5cd94f4ffd1fa7b0b968f5282836392571652db0fc121f95e07ee74869942a2917b5bc2a645897a6f03ba6127670d886ef5a6ad5121a3efa7c58ce2f3ea731

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
265KB

MD5
c8698ac1fc449d0272025c8de1f1af71

SHA1
f527ad08dca55a6cb53cf6584d2aabeace065c42

SHA256
1e072f097d3acadb32828090e6cfa6c2a17b7b8d976fa772f19865b3c4c3b56b

SHA512
2cd3ad89162c2e0743ba3ad6ec38ab6edaad09c18c3d8b407b91bebc9efc6b6b96468ca5c74c9b19b1dfdac7b79fe6ae710cd327aca7b602b852e34dd6e3cc89

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
265KB

MD5
4ed90f57d1bc349b54d42d9fca4c463d

SHA1
2d5e2fbe9070d49fc3c0cc034dc1f69be1c5e139

SHA256
ca3b25c5e91c4b8d76976eed72797341c7d3dad9ea96fe251d62b85eaf667f88

SHA512
9071cf1a0e4f3cf15723dbce7f6e16c33189b1c6261dfd8c2c8f4bdde277b2d3e1a1b1e0aa1be70c412bfeaa0200737255f1cd9158899ecc18ecfc617657b467

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
265KB

MD5
771cfad0a8a0eabfd5865d27f7b6f0a4

SHA1
c8f85170418feb9be48904deab0bedce32206bc3

SHA256
6e60d8b80d21e598b5c7707540537e048fe08954e57d84bae2cb43855659a598

SHA512
c93d4ccb7942326e846055c63fd563576f5572603ff00874fff409261128263e94d0aa8295a06bf953894cc821197211a36a47c460163a5a7742a18b24a3dd77

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
265KB

MD5
97febe0d75316145d3168d1db61b4325

SHA1
c5e566fc639d6cefac88f58afe9808622288bd99

SHA256
fff7dc009d59c49906308f6f871677e8bf3e9fab80b96ea11531cb823c6d00dd

SHA512
b9917b8cb3e912e4c1b5e7fbfcb9272d1f9bd500a51b87df2813c13ef8a08b5f0e8d88fbac89c2ef7ff295972c1d1a4f8b77f8c9ab76adeccf9c68b5e8482007

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
265KB

MD5
cf151f6600a5c5d962ec74686031f498

SHA1
40f9a7fafb0a3ac22bb72cdcbcdb4178a7a82ed0

SHA256
c3ad5717a75dd5bfc33498501a2f3a08a4b60f98c601dcca9e685c518dba4ed7

SHA512
4f841abe59e36ae20e06189c7e1c8470b752964412f9c52caa811d997d4055d5eef6b78422113776cc0db3e843dbc75429059bff5c743796311e5d4d9d413faa

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
265KB

MD5
24c3b60a9cdea723944a3d3785b10be3

SHA1
641842f0903e5136ada59c2d3c53fffe655fce16

SHA256
ccf16fde0ec01cd2391160abdc67cb1f443c1edd3c6e2ea63912b80f126a0107

SHA512
8a2d5e9372086e41b37ebc053f4f1f126cdf7c940ff459f69094baf71c062941834f6d4425bcfae7f1b970f6c794f93feb7d259b7057fa9bea628b780886509e

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
265KB

MD5
3f6eef7abcad98f72e765c09aa8f2786

SHA1
177252326c6dbdfd8879097112de2b8603c0f53f

SHA256
8239a3ae29bb79802b1b3b59b7704fa930a57b17a84a2671281c895cb3cd981d

SHA512
392057643478b84e32d98df479754deaba1c44742597f4b96f01bdb8ab9a3f37741088abcf64f3c458ba18bc7f90fdb0b7176d75c5830e445024d1c92db9d226

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
265KB

MD5
6ec8b348f62ff091a141ee5f884bd6a0

SHA1
cf086d6923ed6b3a795e49fb9fe346972736d8e9

SHA256
2b82d69836a2de411070f499a9129bc9ba080c7402e498938f9582fa8077d067

SHA512
0336a52ce763ed4d498a95a492e2437c1a15fc27b52fdc8ec100ceb697cf6ddddf18776710b399985f2a2a3b8fbaaf3d31f2741616d4a9aba0cc73392424b408

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
265KB

MD5
96f5bbaf5b5a1df27b30f9e25b28189a

SHA1
d13b4cd815cb1bc01bb9d3183e79448077d093ed

SHA256
2d1366c31c32f9994b0b33b2d1984230ef3415e11e044c9ad4c4a4790d66311e

SHA512
6e31b12c2444fa5c741c209b821b103305e2094888050e004667cb9d1670a40a4fb3e57ea0608b9f3b8a2f99613f72a617f38d0905d0748cc1295723aeaf305f

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
265KB

MD5
3fd0705c12685ffd29fdce5092e6fae0

SHA1
0654c677b4941041db04bd6527da729b094b0ad6

SHA256
7716c5103ae863e728567ecd654f421bea318dde541a45c6d74b97c4e66c309a

SHA512
b63527f0f4a03df4aa8e443d0714e46abb311efda5e51b6335a7152dd575449911b033093b3bbeb536637d3a86ed698d30b7d8425253a699e39f6b45835f6399

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
265KB

MD5
6784a1e3273dfd5b7b0e18bdc7d92140

SHA1
6738d1eca16a59144b6ee17e30e7fda074b6318a

SHA256
49805e74f39323e2598a4aaffd8830d14a49bbbacf1c03d691b44950903372d6

SHA512
31a22c9cca4a7cd6d8b56394e3db105c93f8dd0d99cc04be0fe364d5f89227bece9dc2adbd10fec79c2051c34778e57ea49e71e80e1160e58bdb1f79d019ff20

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
265KB

MD5
8b7157d5ccee1408379ff3b1333cc374

SHA1
fa555276e1a30f2cef77a9e3fb4488bf84d41fa9

SHA256
28f2783f1b471693ede2039d4cd6f2cac3a4c55e859398861736012ce9fd97b9

SHA512
30621395fd371e6e45b6f31b76e07ece48ba6505e6c7507121eef4d22b132b1bf5ba71993d9903748f8e8181a8f91d4225a4a0e6cd942031380f4717af5efc18

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
265KB

MD5
63ae1f3ed7c1fbbbdd5c8fda2a8de491

SHA1
2f89dd51d14c25fdf589591188e70b13187c0fd3

SHA256
4ff7388b13cba1fd52d6884dcc0d15a117f49bdd05783fd49f098c898f97960d

SHA512
9522e4f8761e8f8b09db6dd6b800a84449aa0ba4162151762a05d0cc435792916b3582d9da90074d38d9d56cd54a6af1d535136732a8ef153885bdbf68e118cd

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
265KB

MD5
91acd5e4b62aeae3031c21a7a0ec347b

SHA1
fce04cd9b546d3a2600592706328a83dd6ef1e7a

SHA256
282c7204f151cfbb2474ed9e48ec3a5d6c9d30f8640b6b7a4eedb880d5f613b2

SHA512
819368d0bb5d6f35447d7ceaf6484db11e065c1ff323703fe242c9f654e6bbd5539b6bc75c4c8ca2e0433c7705c41798b5b2a0a8f390d72c6a6c18902c609704

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
265KB

MD5
861a6f96dc2079af724af1bb39922c3c

SHA1
3a4b6bda73801f4f4489560634b1ee6d28471073

SHA256
fc048d9b7c3c0f6d9958710b4cd92b1e7ba29a91b37ce9c6fb7f7459acc08e28

SHA512
8f4053a5745de5e413287e34fc6216d5dcf36aba1ce89751bb00722be0087802a6cc056360cc972ff3dea2e4a56ea12dd1a4c8f06922030835c75b581fe3d630

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
265KB

MD5
ecc0b18d0681c3cf81ccfd32cc5bd53d

SHA1
63ab4f83e4e3803b5b1fbfb0cb68dfe99a74236d

SHA256
b1fd5252c3266d0c3711dbb219f87e60935c85d3fbeb82357ea7cd6ca3230758

SHA512
2cd60b685c10c2fcf27bf742d5645637ec4a5951c392787e8f6522a8237cb45226afc68dc153fef1b73f2f671244923441d029925661d1c79dd76c1eccc4464e

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
265KB

MD5
e011df7615edc173be6449e52e140720

SHA1
7d2ab386d7daf93e532c5a689b9d19afbb2a841a

SHA256
03157d3d1549db9f88d82da0c2d02fea7065cef49ba82e0a0f27edc06349fe3f

SHA512
362d2ac2a669de9dd658e37f3c7883c0ad0405e42a3db66e1c050f9eb7edd6b96069e76d77d1c731b2da77ce059b1c52a82f5b3a8cc5855f7fd71916c3e5df24

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
265KB

MD5
44f7718566f551790dfd7834549c57f5

SHA1
b626070e07fe152494d626945c9b5d656e42246f

SHA256
99ac473038e9cf00b3d938d01bca3e63564aa58525f98cb8b78d5a9af1d58d69

SHA512
b56cd2adbfab722704602052a657055d6f47ee45e325e04238692fc6f2874b43b1507ae0cdadf4b7ed9992a12b886a813a2eb6b2403d0b0852047d27c57ccdf6

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
265KB

MD5
6c14726d101c8bd10a1d61ab9a51c158

SHA1
8b5264e4d290824643ba29d9a78e4e1ca3c48eed

SHA256
79dbf5de7ffada28194f74f3351c88e33afd1f8973ad35ff0db4bbeca5c79b08

SHA512
6d1288a10405a3742ee83e4c72fa5afb8d6f19ec828f30b952a60a3f593c477ca6a367581b462b3f941736d20a78acd41ce1bd4b3914185eefa55d48f3fdf8d2

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
265KB

MD5
849c04a79a9cd20e7aef4bb74dde0d8d

SHA1
4283fda7625358a7ea726a8bdc0500bf1ec3399b

SHA256
7ab5138487ff3258f8d6b25111e7e5d503b5d31a2b2665571e4888cf4e1ed66d

SHA512
7e9925037decd08fb49c00bcc5b7b07e789fd37a052a85b4fddb43a0f1dc966f115b0553d8dd0b1091ff2413bb5856757db815ae4dfd5e0b6fc9baf62210b77d

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
265KB

MD5
32d3df1f41b681ae884fa52f247a991d

SHA1
c53eb498316a366ae6bdee78ad67a0f592a47735

SHA256
d5c1b79fa356187ac022802c04cce1a25174f9906be75b1d6c70951eddc77586

SHA512
f0cb9607412365da9a72cb3990aa65fc9d3789cae0c8b06d82726f0455ffa92beff91049bf8e832c731cd52eff715776de1711ef39037091a63a86f980f7d123

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
265KB

MD5
ace770a07c74857780992dfd7b14628f

SHA1
9e6edcfff051bef010104e6188d8a74345f8dd18

SHA256
e08bb94e8ef826e96b034c4a7d94f731a806aaec412be83640dc1a94221d2525

SHA512
9365593dc678130d7a4315a5e817cc38677503f7bf4a1ee1abd59018a6e1c503af8982e927b1dfa0d59443377b94abe7be0909122b77d8664f07f2d66906b318

Download Submit
memory/316-577-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/396-302-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/432-392-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/532-20-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/644-326-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/700-329-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1428-547-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1456-305-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1600-589-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1620-504-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1940-58-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1960-333-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2024-339-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2064-529-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2172-565-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2196-415-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2204-583-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2220-330-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2224-357-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2228-363-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2372-506-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2376-599-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2640-374-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2644-340-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2688-541-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2808-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2812-358-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2956-571-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3104-334-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3220-517-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3248-35-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3268-336-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3320-559-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3388-300-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3432-366-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3484-37-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3496-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3644-368-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3708-421-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3772-367-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3776-482-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3916-310-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3940-540-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4028-337-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4044-301-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4092-356-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4204-553-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4304-503-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4388-449-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4408-325-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4448-303-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4492-59-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4500-404-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4536-606-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4548-469-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4588-432-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4596-335-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4612-304-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4624-523-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4652-327-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4660-365-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4672-400-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4724-386-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4792-487-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4812-338-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4816-331-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4852-464-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4852-1182-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4992-308-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5004-332-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5032-307-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5048-433-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5084-380-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5108-309-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5132-615-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5152-762-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5172-618-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5216-624-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5292-639-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5292-1122-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5340-773-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5368-646-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5388-1039-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5408-656-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5432-779-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5488-668-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5524-669-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5568-675-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5608-681-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5652-687-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5692-693-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5768-708-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5848-720-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5888-721-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5928-1016-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5932-727-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5972-1089-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/6008-738-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/6048-748-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/6084-750-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/6132-756-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads