fcd966ccdfa26d2db3da96fafb8d1b9c011d3ea704a5980f97070ae3241a6939

Analysis

max time kernel
138s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a276dd6a238400a85b8b3fba420d50_NeikiAnalytics.exe
Size

128KB
MD5

78a276dd6a238400a85b8b3fba420d50
SHA1

bef442a6723d06f3fb58d0f06dc809a65f20aa2f
SHA256

fcd966ccdfa26d2db3da96fafb8d1b9c011d3ea704a5980f97070ae3241a6939
SHA512

4b705def267bd76291fcac27840833d727fb87c7e518b6b3dcbf87abffd6feeb0dcd6cd6342a0fdcced32444956cc4c2b7928fec58964df0f943931c601a2803
SSDEEP

3072:vqSRExtnYJ7CeR02qOQpq3HNr5GnV54c4NV:vqf6VR9qO+uNk54tX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	78a276dd6a238400a85b8b3fba420d50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 64 IoCs

pid	Process
3048	Ebploj32.exe
2592	Ejgdpg32.exe
3580	Eodlho32.exe
1748	Ebbidj32.exe
1456	Elhmablc.exe
3484	Ecbenm32.exe
1348	Ejlmkgkl.exe
1460	Emjjgbjp.exe
5028	Eoifcnid.exe
4908	Ffbnph32.exe
4036	Fmmfmbhn.exe
424	Fcgoilpj.exe
4556	Ficgacna.exe
2504	Fqkocpod.exe
212	Fbllkh32.exe
4588	Fckhdk32.exe
432	Ffjdqg32.exe
4440	Fihqmb32.exe
1384	Fcnejk32.exe
2336	Fijmbb32.exe
4884	Gcpapkgp.exe
4944	Gjjjle32.exe
3800	Gmhfhp32.exe
396	Gcbnejem.exe
1252	Gfqjafdq.exe
4616	Goiojk32.exe
2656	Gbgkfg32.exe
2356	Gcggpj32.exe
3008	Gjapmdid.exe
3168	Gqkhjn32.exe
2652	Gpnhekgl.exe
856	Gjclbc32.exe
4912	Gmaioo32.exe
4136	Gppekj32.exe
4932	Hfjmgdlf.exe
4264	Hihicplj.exe
4988	Hapaemll.exe
4624	Hcnnaikp.exe
2376	Hikfip32.exe
3872	Hpenfjad.exe
1156	Hbckbepg.exe
1128	Hmioonpn.exe
1552	Hpgkkioa.exe
3892	Hbeghene.exe
1752	Hjmoibog.exe
3060	Hpihai32.exe
4592	Hbhdmd32.exe
3968	Hjolnb32.exe
4972	Ipldfi32.exe
2524	Ibjqcd32.exe
636	Iidipnal.exe
1724	Ipnalhii.exe
828	Ifhiib32.exe
4140	Iiffen32.exe
2156	Ipqnahgf.exe
2040	Icljbg32.exe
2768	Ifjfnb32.exe
4180	Ijfboafl.exe
3964	Imdnklfp.exe
1280	Iapjlk32.exe
2760	Idofhfmm.exe
384	Ibagcc32.exe
5024	Ijhodq32.exe
2436	Imgkql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Iebapp32.dll	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ebbidj32.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Dofqcl32.dll	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7036	6924	WerFault.exe	252

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3048	3556	78a276dd6a238400a85b8b3fba420d50_NeikiAnalytics.exe	82
PID 3556 wrote to memory of 3048	3556	78a276dd6a238400a85b8b3fba420d50_NeikiAnalytics.exe	82
PID 3556 wrote to memory of 3048	3556	78a276dd6a238400a85b8b3fba420d50_NeikiAnalytics.exe	82
PID 3048 wrote to memory of 2592	3048	Ebploj32.exe	83
PID 3048 wrote to memory of 2592	3048	Ebploj32.exe	83
PID 3048 wrote to memory of 2592	3048	Ebploj32.exe	83
PID 2592 wrote to memory of 3580	2592	Ejgdpg32.exe	84
PID 2592 wrote to memory of 3580	2592	Ejgdpg32.exe	84
PID 2592 wrote to memory of 3580	2592	Ejgdpg32.exe	84
PID 3580 wrote to memory of 1748	3580	Eodlho32.exe	85
PID 3580 wrote to memory of 1748	3580	Eodlho32.exe	85
PID 3580 wrote to memory of 1748	3580	Eodlho32.exe	85
PID 1748 wrote to memory of 1456	1748	Ebbidj32.exe	86
PID 1748 wrote to memory of 1456	1748	Ebbidj32.exe	86
PID 1748 wrote to memory of 1456	1748	Ebbidj32.exe	86
PID 1456 wrote to memory of 3484	1456	Elhmablc.exe	87
PID 1456 wrote to memory of 3484	1456	Elhmablc.exe	87
PID 1456 wrote to memory of 3484	1456	Elhmablc.exe	87
PID 3484 wrote to memory of 1348	3484	Ecbenm32.exe	88
PID 3484 wrote to memory of 1348	3484	Ecbenm32.exe	88
PID 3484 wrote to memory of 1348	3484	Ecbenm32.exe	88
PID 1348 wrote to memory of 1460	1348	Ejlmkgkl.exe	89
PID 1348 wrote to memory of 1460	1348	Ejlmkgkl.exe	89
PID 1348 wrote to memory of 1460	1348	Ejlmkgkl.exe	89
PID 1460 wrote to memory of 5028	1460	Emjjgbjp.exe	91
PID 1460 wrote to memory of 5028	1460	Emjjgbjp.exe	91
PID 1460 wrote to memory of 5028	1460	Emjjgbjp.exe	91
PID 5028 wrote to memory of 4908	5028	Eoifcnid.exe	92
PID 5028 wrote to memory of 4908	5028	Eoifcnid.exe	92
PID 5028 wrote to memory of 4908	5028	Eoifcnid.exe	92
PID 4908 wrote to memory of 4036	4908	Ffbnph32.exe	94
PID 4908 wrote to memory of 4036	4908	Ffbnph32.exe	94
PID 4908 wrote to memory of 4036	4908	Ffbnph32.exe	94
PID 4036 wrote to memory of 424	4036	Fmmfmbhn.exe	95
PID 4036 wrote to memory of 424	4036	Fmmfmbhn.exe	95
PID 4036 wrote to memory of 424	4036	Fmmfmbhn.exe	95
PID 424 wrote to memory of 4556	424	Fcgoilpj.exe	96
PID 424 wrote to memory of 4556	424	Fcgoilpj.exe	96
PID 424 wrote to memory of 4556	424	Fcgoilpj.exe	96
PID 4556 wrote to memory of 2504	4556	Ficgacna.exe	97
PID 4556 wrote to memory of 2504	4556	Ficgacna.exe	97
PID 4556 wrote to memory of 2504	4556	Ficgacna.exe	97
PID 2504 wrote to memory of 212	2504	Fqkocpod.exe	98
PID 2504 wrote to memory of 212	2504	Fqkocpod.exe	98
PID 2504 wrote to memory of 212	2504	Fqkocpod.exe	98
PID 212 wrote to memory of 4588	212	Fbllkh32.exe	99
PID 212 wrote to memory of 4588	212	Fbllkh32.exe	99
PID 212 wrote to memory of 4588	212	Fbllkh32.exe	99
PID 4588 wrote to memory of 432	4588	Fckhdk32.exe	100
PID 4588 wrote to memory of 432	4588	Fckhdk32.exe	100
PID 4588 wrote to memory of 432	4588	Fckhdk32.exe	100
PID 432 wrote to memory of 4440	432	Ffjdqg32.exe	101
PID 432 wrote to memory of 4440	432	Ffjdqg32.exe	101
PID 432 wrote to memory of 4440	432	Ffjdqg32.exe	101
PID 4440 wrote to memory of 1384	4440	Fihqmb32.exe	102
PID 4440 wrote to memory of 1384	4440	Fihqmb32.exe	102
PID 4440 wrote to memory of 1384	4440	Fihqmb32.exe	102
PID 1384 wrote to memory of 2336	1384	Fcnejk32.exe	103
PID 1384 wrote to memory of 2336	1384	Fcnejk32.exe	103
PID 1384 wrote to memory of 2336	1384	Fcnejk32.exe	103
PID 2336 wrote to memory of 4884	2336	Fijmbb32.exe	104
PID 2336 wrote to memory of 4884	2336	Fijmbb32.exe	104
PID 2336 wrote to memory of 4884	2336	Fijmbb32.exe	104
PID 4884 wrote to memory of 4944	4884	Gcpapkgp.exe	106

C:\Users\Admin\AppData\Local\Temp\78a276dd6a238400a85b8b3fba420d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78a276dd6a238400a85b8b3fba420d50_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\Ebploj32.exe
  C:\Windows\system32\Ebploj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\Ejgdpg32.exe
    C:\Windows\system32\Ejgdpg32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Eodlho32.exe
      C:\Windows\system32\Eodlho32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        23⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        25⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        30⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        37⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        38⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        39⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        43⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        47⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        55⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        57⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        63⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        66⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        68⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        71⤵
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2032
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        74⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        75⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        77⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        78⤵
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        79⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        80⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        83⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        84⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        87⤵
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        88⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        90⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        92⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        98⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        99⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        100⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        101⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        102⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        104⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        105⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        106⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        107⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        108⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        111⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        113⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        114⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        115⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        120⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        121⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        125⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        126⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        132⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        133⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        135⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        138⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        140⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        142⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        144⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        148⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        149⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        157⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        158⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        164⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 416
        165⤵
        Program crash
        
        PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6924 -ip 6924
1⤵
PID:6996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
128KB

MD5
281a743a5ef29964f21875af4ea926c4

SHA1
dea3a7345f91f1f6786c71121c128b451116ccd6

SHA256
2f21607b033e48291e7bdce91f5df261b3b5556a0512b33634d6a98691a9f44f

SHA512
a0da7e9911cc248a98b5688189d6f62808c221a1a2dbe1001c9c7410a1aa28ca159d9e5b817daf6902a71ca9aa1b4490eb31b3ab9d45c41296b812f5ebd23e63

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
128KB

MD5
b72996f97d94ba1e5d419201f76f57be

SHA1
081d255f1b895b04e73384ebca0301b9bd0bb597

SHA256
09c456ec2d2b1717ac52932496e6efa942170016e9a33fdcf306c426d57d1319

SHA512
f1d8328555a0bf4b7d28dbf64e16f84734937697fc458951f681b3914d3b44a08741809188dc6ac411a23b3cab03bdf6b684fc3da10de072dae6940b27c338c3

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
128KB

MD5
2e5626b23ef8c29529f20ecb7774e081

SHA1
30dba65c362b24b0a5fb2761c9dcc87e583fb3e3

SHA256
34fb2bea65ea7beb9487a32ea8246750af9a76036ee24c2a26a2d1ddef72aad9

SHA512
308890c85e785203f88b3e6baad4f0c9902104a030b48a432c2215386891d6cfe524be6570d3e81c75a1f709ef53e8b7f38c1bdbf2caff780031cb97dd6e71e1

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
128KB

MD5
feda65176547dc1c4afc54f8809fb887

SHA1
bf83db4c059ef0dbe018572a661fbf1bd2fd84c6

SHA256
20e7eb9b31c1b43cbeef81e6e938080fecf3dde8473063d0717fdd8d885237f4

SHA512
985dfd859a3113053a10869649b227ed039baefcd246231fbebfc67fc627da92970787678e7226aa70addded644e06c8b97159a3c46f5728d678c2f74e3abb68

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
128KB

MD5
053c912900a6fcfee174f330865a47cf

SHA1
38d6d62a9eb9d9ec3e465e7ec8b483005dae3035

SHA256
779ae8085ecd0259bad9d92633b753ddad414d72f4749956d01479143f22376f

SHA512
fa1b020f379d801ce61744f2e63fc7c0956e15dd689e4ec7a4b4bf245a1d8de5dd9ae6b8305ac411c85f09dfee439dcccdb69a294784f446c2478ee6d7d65673

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
128KB

MD5
b17e21bc27a787a028c255a0430521f5

SHA1
93cb3d353ffa4b067e9a5675ed7e614252580c77

SHA256
1a0192be2b408d80d6f8a05f5a4b8280c522682452dd9ee85bf292f59680d263

SHA512
b3fa0a2742db21d5675e88d48c6f871c053fe76940a4f4524cb8e8176b0b96b7a1dbf045c7f970b3e63a65031c257d12fa6d3e34c9c59ded9bbdf65902f3b17b

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
128KB

MD5
cf90d9bc87c3d9b48da81351226e7dff

SHA1
a802dab00aec48f532fd7017c141dc287f4a7b04

SHA256
1e1087bd9ca795c9dd0c81da3b44204deb634b6448ff0cdfc69ebc0751a120ac

SHA512
a322294c9cbb1caa192db2c12db32d4d7a982c6871392fbc6b909a87f6babc32c835966f82e6ecf663ae66678d3d9de96f9f279b4e56f0e9229a65d333d2c736

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
128KB

MD5
7615fc6e0c2d69df38f33f02c46e318e

SHA1
8e8af6cd598985311fac7b04910d2c7a68e3af2b

SHA256
9a3f3827c922324973d069ee5369ae08c4576ad1651cf246a62633dd8a1708fc

SHA512
12781d5c65a9a5681dbf76d2911bffecc915a89f23c5d31c6c1483bad79f59be0183af5ee8605c50e439eaadd4b8ddb63a6a61678ce80e287792055510a7c619

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
128KB

MD5
1b5ed978abb69489529c025f500b2700

SHA1
8cd54f66eef4b497e4d69246b73d8f75f2dcf488

SHA256
e045f25f021ddbbbdcdfc872c864a052f45a1eccaa5a2d231fd561605b4f2f7f

SHA512
5f23280b31c4fd02bd7b72da90ee255a354fe93d7e055c2b8d0c6807f8e9733da9f6b4adb7513f57277bb43d65498c7b2cd08ee843974efc5fe778bfe229ecef

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
128KB

MD5
df496a36c5335ca9ad273992f33954bd

SHA1
b3225a2bf6f4a984ba58b18a5b72efdf253b7a40

SHA256
9c8762b9e40ff76de4d7ad318e1f9042ea5428fa8f28ab6d071cf97ff274eb6e

SHA512
bb5e18eef62f929b41c14bc68e821f38554a3d22d1110d288b3f5d6b0ac81d79007089eefddbcc76c6f38e93c4cf491ad6221bce793b3672f857647a08a2addd

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
128KB

MD5
bbf3a9e169f4f2baf21fe75c94c4feba

SHA1
54c9d696b00b4fdf00a934ac7282bfd51501a870

SHA256
94c3a20386f705193dd96937ba8f3319f9b84188c030599f59b0d0331958bb1c

SHA512
597b1656a359c78f13e15050eb6cdcbd4bc30a5640820e6afa0c76c0c8a9d396aadf8c33d9803dc6877e50942b48159d33f968f8ea0cf8ddec02176e1c2144f1

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
128KB

MD5
8469f997bbbcf0a996738732bfac72d6

SHA1
79ba909414922020149e6e5821b376c357ffce96

SHA256
8594fad5eaa8d2e4e8fac0261d75c1e7ce3d101d6f0609258a6e25afb42d30be

SHA512
e02fe9ad773952f9fdb490cdec14171768d116581363569733a67805b04303f4593b24ae124eb64f39762b4c848746a6f3a29d1afcbc7cf42573d7074d1adc6c

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
128KB

MD5
5388aea5a08a9d8cf28396e0926700a4

SHA1
46b73815ad62215911e9026b0091efe23fcca995

SHA256
5820d3d1ab5dbf017e9a6fed501991d27b97122de8a63c69e01c84762be212b9

SHA512
df21065fe2dd56666f07b4590400f89763989110752481e694fce67a6af1942e754b413dd6db74133907d9c93309cd6f328eaeb66142669c85272d34752ecd90

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
128KB

MD5
f57ebb4055eca9beb7bad0e17c94099f

SHA1
6355f21bd707872f291dfe931f30ba220e1e7a37

SHA256
68338474ba85be427ee9344df6229588dfe8f328eac81a132815324092ef52a7

SHA512
6841b9badf0c4471a5321656dc40eacbb12b570663cbecca2bbe260e5ed9f2f839e9dd7034bfdfc6400f8ea46665dc85f0be88bf2df6a348aa8546c1d8efb237

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
128KB

MD5
e2473d1ade7abf8a8810b89d88b124bc

SHA1
f2e6a6d76089e0a117328227f57dabdf500a53aa

SHA256
77eabec8abb7f74f2020aa34d7fd86be9819d3479ec560a75e9f5530ee24eaa4

SHA512
18ad1cc7cf9b7c3c6fd42ff3aa74d9feb70961c65b27b6f87909b84d31c00b3c849ced8872471469b1655b92a7db7a67604b5b2bd10a948e7855510d4c225502

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
128KB

MD5
5801e3620460e54838102364bc001aaf

SHA1
d60ba02bed2be6f1095089fcb5d00df572ec8f56

SHA256
3d936066472a8af1c58ca7c0ffe2f89390a7ce017fda64a36711697f0ccc9775

SHA512
e9bd1b4047160048447566ad15d931e1546ea5cb46d2c46f9cc1a5c649af18ce31f7d1b8a31472ac5555600092b232ae2799fa2980a511fd0c756a28ec40505e

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
128KB

MD5
0364a20b9444051322c8e4c92fe5ac49

SHA1
2098cc406bd09cd9de08c61c88cd45770395a5e9

SHA256
53eed2bc58d43730ca131f76eeaeff5224a53efef37e52ef6159602256f50427

SHA512
81bdab854a09b21671b83789dd5a6734f9573170dd25da2271bbb7e13f181713bc01b70d32b3b26a836e4a6bea07d07e5c114b6e002bd9fb5d9981519ca4970e

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
128KB

MD5
bae7cf1c5e87fd0b7c864bf67812f240

SHA1
f588bfb847994a11ba999de984d8c7f5375f01ae

SHA256
5b7e9d83f7bab737160110bef74b0e51922514072600815ae9ad15f9ea36ca1b

SHA512
7df7c9c95c0f1099616346291d878cb1a659b3ca1d03191bacb1724fdfcc59f8ea53fea68ee0b723240dd57ffc337f0dc116d679fdf01e89657291b3c554711b

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
128KB

MD5
b52893c38c6135918d7c18f112a6a581

SHA1
a1d55c9a078b1bd1f5555530aeb52ea204d98226

SHA256
64cb90dd037030601bee9749e5053ea538b366a8ce448b466b1af8ad24db2cc1

SHA512
fbae23f67e7b2f6f549251976fce44bd197144dc0c453a4258ec549271d6ff5c627bdbfcc6c4112d5140ffb895cc7ed8349422ca2d9177da0bd3235c44fc49e1

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
128KB

MD5
96b8d8a0e0017f4ffc0243455a543e2f

SHA1
342dcea5ee16e9884d690f8291f8189f4454cc75

SHA256
51f01b8b4565fc97f9885347413f6b76950ccbc6f602797de69853e90e241ef9

SHA512
bbfa9ccc066b3f2147329be7d1e1ba2de6a87a7c641309cd012486dda7a408d0241c8cc945ab486658856bee85b42b2629b14037efb42bc3e13fff90d475fb96

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
128KB

MD5
32651cb344d478b11022cdbb965cdae8

SHA1
d3dc4ff61e41a9479ff6fed9ab47331ad3061b7f

SHA256
5f47be88896c6431a5c1664e90eada5d3f0302da07c876666db9790c3dcddba6

SHA512
9df4a7da899192509f34af9fb8de964ac711c91d4713478065eb8a738c8ad1a6d3864b63104a4f539827ba96217ba6a9af8573fe0c363b05cff19ed2acc77335

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
128KB

MD5
f06cf57a4e83f80a91f0a0278b170e9e

SHA1
2ec007fca78e31346164d943db3105fb3e554433

SHA256
ea5aa251d1278e9a635c9328cce991b034cc522e731aa851babc81dcdc786b93

SHA512
d16673f6a0ed5093c28aa00482025b42446910810e1915e97ed6932c43415596b6f7ee59e29e518ddef8d8ddb082e3e7e6eb3b75ac8558528d122d68e526fd23

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
128KB

MD5
c7a0d114175d55a06e94bb99dd5c0db4

SHA1
598d6d14ef0e3b6770aff372244fc636756ab8fc

SHA256
2937e4ebff62bb58474581d7021a75c1e953d7c12879aee063688b40e1a50981

SHA512
435d1f803423e47055df872f04c410071eef2847fce07d1cfc94d7b34cbafb2c9064eaf04b1a0f40a6162e28f1e98e3479771ec7701c9ef13b78dfc0d66f7794

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
128KB

MD5
f283415b2e336565958f5875a6673010

SHA1
681b9a229cfee42df4cc1689a35afebadc99cdd3

SHA256
7354f230f69d0f73d2b8e5416f9096d3a03efa1f743cb93f69d73efb2ed6b7b2

SHA512
39a3a6691dc3d5161861b62f1f76641b889566d0de6c15ef91460c1da0e009b1e0d0f7b87b1caf31d8b694b8e95dd36b3258fe77a5f45b9578fb102513ea1c54

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
128KB

MD5
547fd9d8b1394c07e713f41086f85b41

SHA1
069d1f6b8cd8a178407a56238a3dbb5d655f1d00

SHA256
836393ad3c636bf65de0048818e6ceee2a2302bea1a27e0eaaa70b6a99e320ae

SHA512
585c92cdcd3a9a3ce0814f3b09376ae3bace9625f54cf46707eda27ec10cb9d7b26a963fa8d33c3cb9e607e0f9f525652336c9628ee0e3a85cb97191f501301b

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
128KB

MD5
4b45f27e93fd045c9eff261044a958e6

SHA1
acf328baf7fea75dd3a57540747a2e31f8367d9c

SHA256
89f5117ff2f9ae7c01999a6d0263eacd3ea8707aa022eadc4f19015c175697f3

SHA512
f2eeb8467b3a8aeec77adea3419e5c01c40af663a001a9efad7b83fc7fa841eeabc8e6cb12e7a3cd581e9ddaa38429b31333af2e341efaf8a3a21124789beab1

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
128KB

MD5
e9c5074690f74a6be4f29e10704877d5

SHA1
38107dcdf8ca8e24293326668173463adeeac1d5

SHA256
c727263e5361417828ee69c16209626f8f03f0c27d9b84cfc26d57f580366127

SHA512
e993790d20f81cf57475b70ba4cbb3b334863086757b3e337200b291689eaa03185abb4a4139a72f6d100a2b7ab0ee0f56fbb596cd2d0f9818282db687980093

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
128KB

MD5
75b3a37cfb36acdceb0131ce3824523d

SHA1
265aa98b3fb3460b2122367e7ec53d1c2f4a30b3

SHA256
d9c28f938fe07530da8411da6527fc78bcaf6e4c040813cb15c554c4d3aa857d

SHA512
a9e301c17475be79d030aee82ece8463437fdfddcde09230b2815b597c847a88e7a6f97c904d7ac6d2b70a8f6485afb8f1882d605c2b4790bf9289a5754eaadc

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
128KB

MD5
a827f60e39f098e1008777d8a03e975d

SHA1
70cea19fe3d568544b29b2fdcb8447e550941e92

SHA256
a30ce836ea242d06adfffb0895be935ba6e2eea707b4991207c9aa2293a90a7d

SHA512
f4e86637766f84aca18687b33f3d6c4eda847324b8c133346f2e0c69d52a9027a3fe70cde7babe1accb653e9adcb9b0dedd3a11bc56f7d2828b1a0e5c4ff636b

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
128KB

MD5
736ead59c1b9943868511fe8d1dc5e1b

SHA1
251f0dbe41ec3911abcd27120f3b822fa059dab7

SHA256
f6b6917dd6116c99b16ff9d4a9ea1f0a69a796a981f7deb0905cbf425c435d4e

SHA512
da3a05a522bcb35909abfbf79a339e7ccecac08d847f52f6ed56823200a50699a4637754c33e49de239848b68c7f4c24a1c90419d113567b82c31c34c0c04ff1

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
128KB

MD5
115e61dbbe650681c9e7dd28be2616c9

SHA1
ac7ccb4941e596eae16617b54500f1cffb04f476

SHA256
854c725bad466d72af767866d382957f9704920b7ec28c6ea4b6d05c8957a0cc

SHA512
b2ffea4f364017b61d012698c2f7cb53fa4e03cb0e6aa812a4cb14020ee8e629a4bc735ffb9c48deb9f990ed86179c0e37ab87ab08e08b34b5e52175da029dac

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
128KB

MD5
313be76de6a78a03480814d7c895c3a8

SHA1
142cf9f33ad59f4839cb22dd8b7de8477d34582b

SHA256
60d12f5ec7c8adde24e0e5b7faee6e96262141a690e230f8d2dde4e5c030ee8d

SHA512
e5ffcbf63ae83ab99a96aa2e0aa02edc95b320ac41b88d84535e2fb66ea364bb3e3b16fe99dbfea3a34a117efecf1baa490cfa9846d4c5a5a43b8600781de224

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
128KB

MD5
070316f41971eef86625ab3df8661133

SHA1
76eaefd2252f8a117a7fb7871f7b81922fef1dde

SHA256
1305fef72d6a31a6fc04e293e0f7fb1ce68b080af068b630ee86745ef3d323e2

SHA512
e5307666f7d206fb26a6bd12406cd1e23083cba0a5a0129375a240709fd059e03e12afec2ad54ca35e7994b936c82ebfcc27faf05d8dbd33ce73631dc7cbc783

Download Submit
C:\Windows\SysWOW64\Jdmaid32.dll

Filesize
7KB

MD5
51bf29c64d7418a4363e04547b663481

SHA1
33e7ee769859a2b2b186ffa1845af447c96f3f98

SHA256
c499c0b3d29f0c2b820058a8272242f2b522c1114b38e1eae79a6a5dd26ed9c4

SHA512
73162d69ef14ff75f574520851d45d657d65245658af19aea2dae4eccd451ba117e370bf1065fd379cd98d034abf5786e9088c214e78b1c5d4e49d321021e99b

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
128KB

MD5
aefaf30c57c0f62a3f91970859a3d9ea

SHA1
9d98db9d07a9bc3d515140d19b8fd0cc3f7cd5b1

SHA256
5d459e96ad5fe84701e3d0df35da80816cd7b64a5b1ab68b8b9bbf915950d3d3

SHA512
1fb79a489b530958a9da6afe943153f64737c67a8ae2e3af287421675b0215d74f32cddd96377e32b38c7a98f0323e4b785d2b19676f273ac8a9de8b40a158ec

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
128KB

MD5
f0caef44d352191659cf4d076068d2e9

SHA1
14f5654ec9ce86fdf33b4251c738cd6a0063cb69

SHA256
bcbd9e49c761e7c8496b10dca476bf1dd94eb4d4895f8ab1ea1548b4d9d61de0

SHA512
a83a61c504c15ea281b3ee261fabbc6f7a14278a8a40988bf3140d3acfbcf05d9355c611ce3e56c772c3e3f4878e563e62a8a1cf17ef38e0fb07eb092ff74f14

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
128KB

MD5
f40a6a7437ded28a04460bc7f0f8870f

SHA1
afd85f6d13efff043f38052fb23add737d370396

SHA256
07590b80c0bcc2cc2535f570320e1b54a74cb4944d667cb20595242b00a52faf

SHA512
bcaf4dcf776377fc1d698d2bf3c5b6524a0f743410244afc2959ef9bc3e0430de0ba2b541c9728833bff768ce73cbd8ebba84557bebae5be1c6abfe6aa254150

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
128KB

MD5
7663cdf704e77fd18b19cf32b2675793

SHA1
fc30d2b11f4beaad8475be93aa30602ea6f5f78a

SHA256
34b9c9cf54459ba82ffb6cb3b974d5ecde662f92011702c7a3e50b6e6d80d5d1

SHA512
8b770635c0367936e89bc03fc16edfd6b2fdf045cb263620c9fd347ec3b72c0b7b1d299b61c2fdbbd981a035f0795f8d4a56cd627765ad44434c8f73d489fe32

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
128KB

MD5
7399711de4212e89917f1d32ed20f782

SHA1
e62f25cae12c6a8e9bb7d0455cee5786498887b8

SHA256
d42438be00de9abc69d6ecbb1fff3f0dae1ac217228e3f3136b8e6d860182e09

SHA512
cf6d395132d5aa985ea12cc4271a9909d1e2486c7d999800894e60f1f14fad77f63de15f7b2803d912edaf0297ca405dc2a4db8c9e46138ecfa7dcb54f245b4f

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
128KB

MD5
63161a1b50ddcb27cf04112c8b8277e8

SHA1
e32c02d77ac22ad9920898c2ad4f28d2200aa38c

SHA256
20b96089e79b9caf744c353bd4b18c89871d002bc6dc35b0dd1942b645d0b5a3

SHA512
9c3841fae622f947944a1c38d7440818b6a1358e66485582b5326c6a479fa74bf4f9a5fb9e3a7dc51dd197bab4e58914e2832d1ef5f242091389b633fdf9785d

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
128KB

MD5
91663ec3bfd724c7c2fcb9395d6b6219

SHA1
8304736509a29399624bbefea83830b443824578

SHA256
2e95f6e18871259705b3b1f7ad5f63c6e90e276da80cb3b37517227176878fe7

SHA512
18152094531272caab8195e976c9e58337e0ab3cfd74e3ac45f4b1299650963850352e3df12ce6764b9fd7eccb58ad459be0a585036d4ba4116e4c5dd2380ff7

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
128KB

MD5
72e3951477a7de8af13707091879e1ce

SHA1
5dbf76ec69aca560aef4a74a27fff5e50b9a791b

SHA256
1389d9be04898b42f7b2680f182e747ed7ecc9975681bd5d4efa398d4894785f

SHA512
72820f08e700ffbcea6e6bc9b519868858e67c3b2d72152c0588c0fbb915156421845d56ec058f9b3daa572f64311fdd4ff76f5f6519ed0495d8b1f0b0f2eaf6

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
60e7354b4b40faf25bcce34e45066cea

SHA1
8d79b2d961803428099c1543ebc646930848f586

SHA256
72cd6315e7adb1eed972bfa628e1e2171c4adfcb034bb4f2aede508f0624cb81

SHA512
e12a106ed4dc2f7fd92ceeadf470d2cb9259a6306ab121ff28640394260494ab5ee7e2fb20c9429f8c821a8ef40207e6edd1eca7c6bc061668f7d80215b2b3e8

Download Submit
memory/212-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/212-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/424-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/424-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/856-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/856-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1456-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1456-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1752-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3168-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3168-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3556-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3556-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3580-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3580-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3872-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3872-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3892-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3968-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4036-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4036-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-230-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4884-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4884-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4912-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4912-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads