b1d51bf011c5736aef479a8a82d3d3d6f9a048ec85b7da79d416103cabec922c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe
Size

145KB
MD5

dd26155a336201488c80f947d2ad2bc0
SHA1

94881e253c43482fa64364908587f312d38c6bb2
SHA256

b1d51bf011c5736aef479a8a82d3d3d6f9a048ec85b7da79d416103cabec922c
SHA512

28bcf348c97f6f0d476a13dcfdd222f2fc50b21e962107808f0d868326634266cd8e0c6b0da9e8b8a8ea18f3d542e358e5dfd1b49c371e798d3cc78dd8990f7d
SSDEEP

3072:jqKs1A9qacGNt7tA19VfczodKzqD3pFBEV52Ae5aFnVB:uLA9qacGNt7tANfczoAzc5Id

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe

Executes dropped EXE 64 IoCs

pid	Process
3480	Ebeejijj.exe
3140	Ejlmkgkl.exe
1776	Ehonfc32.exe
3216	Ecdbdl32.exe
1932	Ffbnph32.exe
4424	Fmmfmbhn.exe
3180	Fokbim32.exe
1180	Fbioei32.exe
3784	Ficgacna.exe
2284	Fomonm32.exe
1112	Ffggkgmk.exe
4980	Fifdgblo.exe
5036	Fopldmcl.exe
4624	Fbnhphbp.exe
4888	Fjepaecb.exe
5072	Fmclmabe.exe
2720	Fcnejk32.exe
4532	Fflaff32.exe
2988	Fmficqpc.exe
928	Fodeolof.exe
3176	Gcpapkgp.exe
1868	Gfnnlffc.exe
1372	Gqdbiofi.exe
1472	Gcbnejem.exe
2332	Giofnacd.exe
3284	Goiojk32.exe
2576	Gfcgge32.exe
3956	Gmmocpjk.exe
4332	Gcggpj32.exe
768	Gfedle32.exe
632	Gidphq32.exe
3540	Gcidfi32.exe
4348	Gfhqbe32.exe
4504	Gmaioo32.exe
940	Gppekj32.exe
3812	Hfjmgdlf.exe
4536	Hjfihc32.exe
2004	Hmdedo32.exe
4612	Hpbaqj32.exe
2120	Hbanme32.exe
4272	Hjhfnccl.exe
3964	Hmfbjnbp.exe
3144	Hpenfjad.exe
4496	Hfofbd32.exe
3084	Himcoo32.exe
3580	Hmioonpn.exe
1436	Hccglh32.exe
744	Hbeghene.exe
2016	Hjmoibog.exe
3312	Hippdo32.exe
5104	Haggelfd.exe
2276	Hcedaheh.exe
852	Hfcpncdk.exe
1796	Hmmhjm32.exe
4048	Haidklda.exe
1004	Icgqggce.exe
1512	Iffmccbi.exe
2956	Iidipnal.exe
756	Impepm32.exe
4988	Ibmmhdhm.exe
3236	Iiffen32.exe
2948	Imbaemhc.exe
1756	Iannfk32.exe
3456	Icljbg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6732	6572	WerFault.exe	257

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3480	4736	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe	82
PID 4736 wrote to memory of 3480	4736	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe	82
PID 4736 wrote to memory of 3480	4736	dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe	82
PID 3480 wrote to memory of 3140	3480	Ebeejijj.exe	83
PID 3480 wrote to memory of 3140	3480	Ebeejijj.exe	83
PID 3480 wrote to memory of 3140	3480	Ebeejijj.exe	83
PID 3140 wrote to memory of 1776	3140	Ejlmkgkl.exe	84
PID 3140 wrote to memory of 1776	3140	Ejlmkgkl.exe	84
PID 3140 wrote to memory of 1776	3140	Ejlmkgkl.exe	84
PID 1776 wrote to memory of 3216	1776	Ehonfc32.exe	85
PID 1776 wrote to memory of 3216	1776	Ehonfc32.exe	85
PID 1776 wrote to memory of 3216	1776	Ehonfc32.exe	85
PID 3216 wrote to memory of 1932	3216	Ecdbdl32.exe	86
PID 3216 wrote to memory of 1932	3216	Ecdbdl32.exe	86
PID 3216 wrote to memory of 1932	3216	Ecdbdl32.exe	86
PID 1932 wrote to memory of 4424	1932	Ffbnph32.exe	87
PID 1932 wrote to memory of 4424	1932	Ffbnph32.exe	87
PID 1932 wrote to memory of 4424	1932	Ffbnph32.exe	87
PID 4424 wrote to memory of 3180	4424	Fmmfmbhn.exe	88
PID 4424 wrote to memory of 3180	4424	Fmmfmbhn.exe	88
PID 4424 wrote to memory of 3180	4424	Fmmfmbhn.exe	88
PID 3180 wrote to memory of 1180	3180	Fokbim32.exe	89
PID 3180 wrote to memory of 1180	3180	Fokbim32.exe	89
PID 3180 wrote to memory of 1180	3180	Fokbim32.exe	89
PID 1180 wrote to memory of 3784	1180	Fbioei32.exe	90
PID 1180 wrote to memory of 3784	1180	Fbioei32.exe	90
PID 1180 wrote to memory of 3784	1180	Fbioei32.exe	90
PID 3784 wrote to memory of 2284	3784	Ficgacna.exe	91
PID 3784 wrote to memory of 2284	3784	Ficgacna.exe	91
PID 3784 wrote to memory of 2284	3784	Ficgacna.exe	91
PID 2284 wrote to memory of 1112	2284	Fomonm32.exe	92
PID 2284 wrote to memory of 1112	2284	Fomonm32.exe	92
PID 2284 wrote to memory of 1112	2284	Fomonm32.exe	92
PID 1112 wrote to memory of 4980	1112	Ffggkgmk.exe	93
PID 1112 wrote to memory of 4980	1112	Ffggkgmk.exe	93
PID 1112 wrote to memory of 4980	1112	Ffggkgmk.exe	93
PID 4980 wrote to memory of 5036	4980	Fifdgblo.exe	94
PID 4980 wrote to memory of 5036	4980	Fifdgblo.exe	94
PID 4980 wrote to memory of 5036	4980	Fifdgblo.exe	94
PID 5036 wrote to memory of 4624	5036	Fopldmcl.exe	95
PID 5036 wrote to memory of 4624	5036	Fopldmcl.exe	95
PID 5036 wrote to memory of 4624	5036	Fopldmcl.exe	95
PID 4624 wrote to memory of 4888	4624	Fbnhphbp.exe	96
PID 4624 wrote to memory of 4888	4624	Fbnhphbp.exe	96
PID 4624 wrote to memory of 4888	4624	Fbnhphbp.exe	96
PID 4888 wrote to memory of 5072	4888	Fjepaecb.exe	97
PID 4888 wrote to memory of 5072	4888	Fjepaecb.exe	97
PID 4888 wrote to memory of 5072	4888	Fjepaecb.exe	97
PID 5072 wrote to memory of 2720	5072	Fmclmabe.exe	98
PID 5072 wrote to memory of 2720	5072	Fmclmabe.exe	98
PID 5072 wrote to memory of 2720	5072	Fmclmabe.exe	98
PID 2720 wrote to memory of 4532	2720	Fcnejk32.exe	99
PID 2720 wrote to memory of 4532	2720	Fcnejk32.exe	99
PID 2720 wrote to memory of 4532	2720	Fcnejk32.exe	99
PID 4532 wrote to memory of 2988	4532	Fflaff32.exe	100
PID 4532 wrote to memory of 2988	4532	Fflaff32.exe	100
PID 4532 wrote to memory of 2988	4532	Fflaff32.exe	100
PID 2988 wrote to memory of 928	2988	Fmficqpc.exe	101
PID 2988 wrote to memory of 928	2988	Fmficqpc.exe	101
PID 2988 wrote to memory of 928	2988	Fmficqpc.exe	101
PID 928 wrote to memory of 3176	928	Fodeolof.exe	102
PID 928 wrote to memory of 3176	928	Fodeolof.exe	102
PID 928 wrote to memory of 3176	928	Fodeolof.exe	102
PID 3176 wrote to memory of 1868	3176	Gcpapkgp.exe	104

C:\Users\Admin\AppData\Local\Temp\dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dd26155a336201488c80f947d2ad2bc0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\Ebeejijj.exe
  C:\Windows\system32\Ebeejijj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\Ejlmkgkl.exe
    C:\Windows\system32\Ejlmkgkl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\Ehonfc32.exe
      C:\Windows\system32\Ehonfc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
      - C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        26⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        30⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        36⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        38⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        39⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        41⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        50⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        52⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        53⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        54⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        55⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        66⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:880
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        70⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        71⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        72⤵
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3292
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        74⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1972
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        76⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        77⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        81⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        84⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        85⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        86⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        87⤵
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        88⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        91⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        92⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        93⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        98⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        101⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        102⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        106⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        109⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        110⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        117⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        119⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        121⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        125⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        128⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        129⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        131⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        132⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        135⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        137⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        138⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        139⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        142⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        143⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        144⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        145⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        146⤵
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        149⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        150⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        151⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        152⤵
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        153⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        155⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        160⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        162⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        163⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        167⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        169⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 408
        170⤵
        Program crash
        
        PID:6732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6572 -ip 6572
1⤵
PID:6692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
145KB

MD5
1e76cb5bb81723c1d7c28b4938ef7490

SHA1
f5eb08c70ebbf3f04204fabacc88e52306aa59d0

SHA256
a7c137a8ff973b1c465a12de7661977fee4395cdba519a339ea0e9a077e9dde1

SHA512
d1744158cd29a354dcbb995b343b418f9fbd23fca87e2193ae66d41586272fe60286299c4d4fb35d5de864eb80ebfe7d07b4b7b54a288813fee5c641947dd7dc

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
145KB

MD5
a321c0e658fad0341269bc3d23f53cdd

SHA1
33447933d7dd158698df8da5c0af50109d81ae41

SHA256
51d012ba63710a02cc6a8149fc0d68ab2b05683a8cc4585a4226740a5a7c62a8

SHA512
3e922b1e4a761df0dd0c32bf56f0d89eb56672714099ae2642dae759f0ba9092cf9b0392fd9eb44a5479a03c86588a573fac212313b4905f03ed4fc7ee45fee9

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
145KB

MD5
56c69950defd0c61c0964dcf79960db6

SHA1
3733f3e7b68dec5a20f8fdfeacb6b25f4a033d71

SHA256
551d73c4dac80990b879ac0ccd6cd688f481342b791825f704bf35099cc2c42c

SHA512
301d5811976fe2a71b01aa2e0a22cda88c16daac8ec404fb62298384ad9a783345d5b09defc9b28fa78790f6abd7e9cdb095818108d65c1411fd43893d8f5118

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
145KB

MD5
ca6f805ca6fadd90deada56e5afc8a76

SHA1
5c6de7f21455dce1225106913565a68154f4c1aa

SHA256
776fc041dcf761bde10bdfbce6a9029f2138218d9612e294fe69247ea21d70e4

SHA512
632980e7a744d20ac5758d150e3f66040c1311c4a7fc759d64d84b8481e90ea9875d0f672693d612ec0eba78a6538fd07002a5ac6a0561d0f70fb54471c6a2a1

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
145KB

MD5
c254cc5ec96a90d12b032d1a12fb78d5

SHA1
824cc3fca17be47c7c91e1bfcde419c856133d42

SHA256
44a72df2f3c4bc65d5ad79d33623090e2d6c094dc853c2e381fb516f0a3e2e90

SHA512
c904646036a970a5803df84fd9f2ca52b68dadb389e8411d517f142176e0b8303c104683983ee7bf7df0b1e5a467526962e94a7e648fd96be001ebc3a1ff2e8b

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
145KB

MD5
92f50d63447358469ecb1db55418b634

SHA1
7bcec8e3e9c672125ef07e7bebdfe1a2b1da81e6

SHA256
50fa22d0aa6ce3d1e84781c268b2a3677562e4d2ee7b01d77242a7f69097cab3

SHA512
878e216ae63bdab8657b580da08b78184c432160b8d8ee4f766e34603f1de3f8ea0c079c5dcb81dea10740de6323bc197f6cfa3aaaa5fa01762cbb90e41ca54a

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
145KB

MD5
fa133ed7685ce7fe359d4a53654498fa

SHA1
62434a4e451f29d64455b5e2c57455f332870980

SHA256
f0004fb538bd8544c76b135f52828b84ab3a173b28dd0aa5761534c8dd704946

SHA512
11f9df1853832b54d26d900a1e575691b598c57b74b88088ceb9d84686e2b082a04c830013e494793e18bdec578a9dbbe877b8721cf7cfdc52e8cc53464ff217

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
145KB

MD5
af087709c2a242d9d262149932a98f8b

SHA1
bc558aaadd8e8ada2f59a44a73bf53defb722d41

SHA256
7ba34a4921d18fee9e5563d523aae4e9e98986d8b8c63cc64ae7beb0ba1b5513

SHA512
83ceff24c9c912420205fcc447caac12e9cda0805fd2a743889c49e51d662abf4d616952564902a161e53a2fb50e84daf45157869793f8fd5ddbc076a6e0e48e

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
145KB

MD5
0d382669e82fba0db7bf1a983fcf2e73

SHA1
0e5ea9a552c211b6bc5a4ab69d125c82648d40ab

SHA256
0f8abef942fcfb1516f65d5d101e5449325f652ed834fbcf5977f5f1119ea06b

SHA512
9a5490872b6bad089c88f827e2fe68f9aa3b30241fd4946158593336711e2e1b4729ea028ece0075b7acb9e98a9f5007bd9178262e6ca4e62dbfb03077ea45eb

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
145KB

MD5
78d9fefd8f446daddde1c6f184ba7aa6

SHA1
1b53a38d19eec89b86cce680cd1cc568322097e3

SHA256
53d44166caa75b37e0ba64d72baad1ba748419ac04f562aba8add687e332b0ad

SHA512
82d15969885c4cb5cc8f7de1bbc63658226991c7ca2fd188606fb4073da4a7b98c55792b7c2511fc5a376893d1618af64652e8f6c5dfb3773610dd2fddcf8b32

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
145KB

MD5
31535f087e3ba95a4333df62d10ae1ab

SHA1
513f2bc1629d916499f3042393973f40310ee5c4

SHA256
180000cd5b4b7856e84e105bcd9ca5041eaaaa29d069214396bb76cc92daf234

SHA512
dd34c258c25b7865395ebb4c83b649fb8c75a3919678aea079848a3bc15b2b801d12ffb8a51e68342137ff4460d0c2d37712fd0096d538ec62139dd53db24551

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
145KB

MD5
9d6bb9160b592a9b532fb002c71efa10

SHA1
e71600f3fac3821e38991411b0e5a589551f94dd

SHA256
00c03117bbccf30317040db20211351c722fe7af0ae5eb055f75302cfc79c897

SHA512
6416a1a52dd45c26c31423750ee0d73f5a479d1957701976177eb83196d30b6dbc400bd77de92520202898dccd9ea3669af5c1902abc4da06c0a5361adf42dbb

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
145KB

MD5
1fb992d32d3f31842ef1338fd7cb814c

SHA1
3752aa09b3918546972acd0f95c659013a14931e

SHA256
f1c107708e305dda9dce80d09ed630cf2ddf1efbfc290875e527c88615bb6187

SHA512
7d3c2fe0817069a34e078b44a404ca35588913e1620554e658251a06cb99cea5a8e40d23b056c197dd0a1e4648951e4af5e03013ee58ea850d1f3ced4f7f5f0d

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
145KB

MD5
5693d64c196de35a042a83b915353339

SHA1
ae7ae3f27e33e5daa340c9def0023eb759981be0

SHA256
d91eb90b192f33890b4db793c6703cf26a0c54edb10477f883fa7bd584c5b028

SHA512
5f07a9835ecf1f27569f3e2da52256999ea6cda485dec40d30b31db36e9d6137c62a0fbee55e3564f3b65fb6bd22ae65433febba89a72215d7cb3e0f0b9938d6

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
145KB

MD5
00b9eb44d7ae4544d7029918ae599f80

SHA1
0fc29ef2361531424a90263886e9038b9c7570de

SHA256
bfb6bf8c11ea9a392c2ba9a33e8bd0cfbfb6aa54deb69c11dd2d6dae3fc27ba6

SHA512
ca75e332e7d604630c6239b84628fb34247e367a3ac7fc39d6f66acec3a1364f9309ee12d8be38e3cff1bb626bd8e85db7cf416925b997f8a209f1e24c877399

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
145KB

MD5
8bec4189ededc2dced1bbecb739fe72d

SHA1
f4557318879a6aabbfe97076c9bd8199e1e09705

SHA256
7a299e47bf436d3cd124666c575f860c37ba34f8dc251503461d7f61cf9c81eb

SHA512
b995214ef4ec496adeddcd206c3e6c2df99537ef873be16756dc64b680273e019930e640a70106ff2491c12ca750ec67e4e3010fabc08d4748fe1e4c5c0929f5

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
145KB

MD5
3e9025f93a33bf0b3caa72514132520a

SHA1
c7d38cb713410662a8339f02c7fd957672c07d90

SHA256
4f541ae6154abe6f3c0f2587aac8f8dc8b2a72972561f15eeede7aa481200a4b

SHA512
60f948f54a9f095139978173fd9be6936c77bcd2848425b1b1edf4f98bce624dee99f52ff1a599abbda3901ace77e84aa5942623960264a624f92c4de83de9af

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
145KB

MD5
8cd707ebebee0e91800439e3d3798c22

SHA1
92412a6b454cd031fca8894602b033b260d7c627

SHA256
4cac25a4ac675b9e67e489495875c3218780892fa40a9c8b11ffb2a6b9d32567

SHA512
d6bd26e3db758e4eda60e1bb91aef61d5609316500066ee955fb17d9275f093aa8ec6b4f5c3b895b256d1573b3983084aaf4ac21b9c318cbe61e520e01c431d5

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
145KB

MD5
a3c00fa4c7221a839dbeaf29e407010a

SHA1
c5ccb5a9677879236c2e7cef94e85178a341105d

SHA256
9b0a34885600bb164619a631fdf161c5ca57fed2a34d9ea50c88aacf07151fd8

SHA512
e166551a1b6c8ab66fc7eb7056afc6f2769cdbd67ffe69514b9acb8ddb9b6e679dbaa3a4d2e84845abacd4578d63602398472d27f8315bd729f6c8f096ec2ebf

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
145KB

MD5
bc30799505c53543c4a9718a9dd0468e

SHA1
dc6d08bff31047298c5fbbb48c53da664a9146ce

SHA256
8f6c53af549ff4165b45f4b4cb0df9a5768e4af083ec7d0e6f52de7a2c81ae44

SHA512
be186eca095bbde4f992b6ca47fc67622f6485d0e2e6102cf4bfdff9914d80188b45766a25fe6d5ffa83cdef04d9f4f515a30285cd021fa2e954a9413843dcd8

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
145KB

MD5
44916ead0c9264873482dbd531c24368

SHA1
160dde7483571c4cc50ceed5b9277b8109d70444

SHA256
b3d6c160adc07624cdf86a659c564610d9f527918f026bed91b594c004dedd41

SHA512
25948166fc24989c1ff753475e23d30dedf33c6a6f9cc33b783117369015afa4d470293f33288b30bcba2d75908d52496eb6fcafe02c5fecb2ff755ebee4dd73

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
145KB

MD5
d048ad8eaccd7b31224b2fcd7068c968

SHA1
849c2b0ecb209b94c5234045fe25c365d5bead73

SHA256
98838404bfc8f7e898bbbac184b4145331d336094ed6a9e09101cc56088f2355

SHA512
f84f3d6031618fe017d34b1cc9cf5b6488407ecfcdcfef56b827094e6ec4f61516e62e089dfcde6ad2cb7b84c13cb84c5025567be46baffd3c086c9157961cdd

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
145KB

MD5
1b4089b7bd7f1cf849d52df490222db7

SHA1
bae7a2f33d33c38b93106978bb2dccd6727645d4

SHA256
d26f26218bba445b9da46f0c34f55936acf90f25302980ecbcb71db5399dae49

SHA512
5f1a7b2a9e188c9cdb00eb161dbb044dbcc1afc1c000b2071eb0f55cf07e35fb1f8fb4d2d4045fad9ce167dfe30e5f52ec5c43ab5005dd860055c4ea23f6e058

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
145KB

MD5
ced8f4c68d1d3188067f57cf90445896

SHA1
a24db3a56c238a57e163005755b294a2423b65e0

SHA256
1195cd510a5c70fa7833f61b3970e6546a29fe3aaea3f456b8566d439fbfa2da

SHA512
936fa0172df26080a13eb8dcf80aba40dbe28cd04a606049a81649c6ded8f3f08e3fe8e5e4bdcf7b6eb2458d7bcf81af126c75aa79015f975b88fba8115497e6

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
145KB

MD5
8342f5841b40354c9b150771b74d66e6

SHA1
95ef808cd189fe8669d60da9536c9b2416e33f7b

SHA256
1bcef1463150b906beb987dced3111c32a99b587781350f7a3f030e07e8a5230

SHA512
97b89e81edf86bc79c1a274dd3ee6f3490a42c4bde72d2432c4f7e40eeddc5c31c3da17448237572ef9667444d2e2506bb4772bbe68374f05d52535803f3637a

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
145KB

MD5
981e115bb0299e8547482fc900072f08

SHA1
2ab579b22fa8da078f607a8b8455cd7601f77dce

SHA256
ba878a04a186c1ebff80378f8c8ddb4fc7193a725ab32feade37ae1d79f00a83

SHA512
1ad8987e10e744be8c909f050a0fa11291136a3f2eb08da047ab03647cdd0d5e006ec307ffc5ae1fc8e8d9f7cdaea7bddccc8c243f3840b7d393645c1886edfb

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
145KB

MD5
3068901879af0d23d7e2d50c94ee62ba

SHA1
3fdc2249963fb73f23cf53f5e18a5b850f7cd389

SHA256
e71f739ae771380a2746e7b0d82d5646e4144b2818a13a3c45c90509a4988fa9

SHA512
7d92ceac316675a4b0dffb409457c5760e98858948caa5df1a2fbce67ab075c3b493b7fdf761f083e46f5ff1a8d461e318c35109febe0dee103a329e2dfed1fa

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
145KB

MD5
927e8dd1ef9babeba3250ee7129eff84

SHA1
5fa0f9b0ac07a7c852c924e039e50f21a6ea5d40

SHA256
c2c589c5758fb4d7568af2a8a9cf400a54d40713c8eab8dcf8edd70b0fe322af

SHA512
4fb141d1e1d6c441a9897f8d89b020ce6e99f8746d7f95c9a1ba28e397326cc3b48e67c6a079cee1a429ff5723e8460a0822f4bc407a217b1e170faa4b2f11e1

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
145KB

MD5
b8ca96283881c2a8b2531886db9f20a6

SHA1
83f26a6c5afc3f0d8b9b4f210e17d691d3b4c94b

SHA256
2b701a125328150fbf6837f11768b2e17015591023fd7a8bb83544019b690ddd

SHA512
7420ecac83db7e8eedb1e124b61d4fc7236395ed9e6fa90dbae5a72076d59c010ff9546140b4e80715205d4b64b49b5e553fd1d9c117f96dc8c405913788f31c

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
145KB

MD5
bfc13780a294c61878b68244dcffcc1a

SHA1
b7daa2e53093e977e52c66f595f73a0a13c47446

SHA256
32360b1519adf1713db7e420009de2e2e4b3d627853ec261fa9737de3de95b75

SHA512
b439e905bfa16109f91b301ba2e68548d024ddac892211655ff1212a6c026374089b5c19deb3c7d619fdb068f320479ac999bbff0e6ba5930de6632de205da44

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
145KB

MD5
793ea501f0bfc67ddc33a88b813929a4

SHA1
c77544a8c25fcaeb2da9d53cc8efe047cc58606a

SHA256
c7b812ff165a88deef551d82e1b5796142f86525eae9fce585fb645f846fd75e

SHA512
a63b64a8cbb373adf5f82fded57f631cba09cac25d77f3c717f72856e2f0ce87e52288137ead2b320cae0c106258252932bde0f06fdbf26028e1563dc1ab1e8b

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
145KB

MD5
e3a7fea1ce737b0c33833b0b0ac6b21e

SHA1
3e92220f0436037cae9f6ad1350ba80a7c5398cd

SHA256
749a843e7266609476861c9793e84050d28f2497de9e2366c8103ccdf3ea5e09

SHA512
1a91dcd42d237dc552dc1e7486b8ae677aad5baee5c7c59d3dd8224e68f71fd1fbfe1bb16dab43f2f1045d6bcdc41e98001ccfdc1782dd712516e83d6b14cf07

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
145KB

MD5
a0bd516e8c0ca85fd8ba184de06914ba

SHA1
e8ea4dc59b2a67553526823024464682f190b0da

SHA256
e93c14dc0bb235f784c33a37e85d429d3fad9a3e523dfc6a2a51592f8bf1bfe1

SHA512
1de8f8efad6628f43e5b14632921ae52069fca0791377a633db61a3498fa03a942332cc605404196e974018c60f5e848e2baf28e82bffe0078546fbf6cb41b77

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
145KB

MD5
64740f8cf80f3505a6462fb4c42b0003

SHA1
0ef623ff8b065e3574fe6d94c5348bdbd3115df6

SHA256
0c16ac0091fff90c140e6357305c5e262615baf050345d51870c998dc015fad0

SHA512
f4aa4b69d10809c430891b19337b2861d4fbb987bd5170a3baf4658908c18bb0b35df58d5b860ff4749a96f60becc00adbd8c3e4c26585ccface4f7f8cfaa74f

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
145KB

MD5
814ed71b4b359a4cc2076a9b8663ea95

SHA1
14bf263b3a4f3592c8c508058b7c435213370a93

SHA256
95ab218ad66c424ed6a229948650043ce652925479785617bdba1aa45fb55740

SHA512
4abf2d01b20027937bd4a9ff5b468092b8e32fd91441b99da4ebf36267733cf2aecc405e76f1b8cc8208394f86bc6b8508f1ac00b9fe8379800ab3c50ea0cfc1

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
145KB

MD5
e1c560c7b9251ba2c01316db475cfc01

SHA1
483ab489b0ddc11e61a8d89ccce405919c3d99d2

SHA256
57a977a6f454615e95f854aa4475f72aaaffaf05b9e1c0686821fabba10260a3

SHA512
5eb36b4772e7c0b34f8458169db3be78f69b663cc383e560d681192a457154105d4be37505916f5fceaf524ddcead3148b940eee9a8ee44aa467df06f34699ac

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
145KB

MD5
37c4ddcfc92fe571cf008c2174a61908

SHA1
a0100ce591234f11f03961b6251dbc05e99265c3

SHA256
1a9ed7f1eea5c4d7ae483b5d5aba031017a2578dfdffecc968b9a8f14776faa8

SHA512
f96d61e9cb00e90c0278ab1fe53a2eeea2ef6a0b3901e6dd43fe99bb2a03d125eb00af7a48fb62b676205a7c4e3503400776f916213bd7c0d69976af6acfc401

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
145KB

MD5
8c802bbafd66ff5cac1d4bc1a63b36b6

SHA1
714bd617b1a5832a3a706ec89428e57d4e1c56d3

SHA256
96cbafb25cbe25d8129d6fe505f10e047d4e1654655d73d4cd742a6f554baabf

SHA512
7a42efc480c5aa0deaeb1d6bd16f43b9dd0ca2987db8f383f9f668aa0ae169780c534037828de4a85bfa67a4ec847394ab9d9557e919b7f0d9eb9d372e79e4f9

Download Submit
memory/60-472-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/632-247-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/684-571-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/756-415-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/768-240-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/852-377-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/928-165-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/940-273-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1004-398-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1112-607-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1112-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1180-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1180-589-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1372-184-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1436-347-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1472-192-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1756-434-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1776-551-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1776-25-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1796-383-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1868-176-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1932-45-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1932-563-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1972-497-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2004-291-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2120-302-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2168-451-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2276-373-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2284-597-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2284-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2332-200-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2576-215-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2720-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2720-642-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-495-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2884-591-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2948-432-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2956-405-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2988-157-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2988-1383-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2992-564-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3084-331-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3124-479-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3140-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3140-545-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3144-320-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3180-577-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3180-57-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3216-557-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3216-37-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3284-207-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3292-485-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3312-359-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3480-538-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3480-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3540-255-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3580-342-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3784-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3784-590-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3812-284-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3956-224-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3956-1364-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3964-314-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4272-312-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4332-232-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4364-578-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4400-459-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4424-49-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4424-1408-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4424-570-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4488-509-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4504-271-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4508-540-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4532-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4532-649-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4536-289-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4624-621-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4624-113-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4640-445-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4736-526-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4736-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4736-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4836-532-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4888-120-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4888-628-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4980-96-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4980-609-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4988-417-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5008-520-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5036-104-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5036-616-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5072-635-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5072-129-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5104-365-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5108-503-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5204-610-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5204-1236-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5336-629-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5400-636-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5464-643-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5712-1214-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/6504-1126-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads