54699c2967e181021f390b681ea5ff0ad721f4cd369c619a12f7419d3a126b7f

Analysis

max time kernel
138s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 09:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe
Size

64KB
MD5

e77f5c94928ad2695e9fe64bd8d95a60
SHA1

6659b631ac998897d9862c9a2f297c313d614f9f
SHA256

54699c2967e181021f390b681ea5ff0ad721f4cd369c619a12f7419d3a126b7f
SHA512

940afc9bfdb04768cb8ecc95d891e81ff95bb5c179b4e88bcf1496274555ff66a004d3c234bfcc82f44bc8646fd31658e7fad9878148eb4d401c2b18f84d2c39
SSDEEP

1536:5Wwi3mKMNH9Ma9qXsl/QX6J2QphEhbeO6XKhbMbt2:fupkR9ys/ieNzEhCO6Xjt2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe

Executes dropped EXE 64 IoCs

pid	Process
4084	Fokbim32.exe
4628	Fbioei32.exe
3752	Ffekegon.exe
3484	Fmocba32.exe
4960	Fcikolnh.exe
1040	Fbllkh32.exe
4556	Fifdgblo.exe
3912	Fopldmcl.exe
1132	Ffjdqg32.exe
1920	Fjepaecb.exe
2244	Fqohnp32.exe
3672	Fcnejk32.exe
1144	Fjhmgeao.exe
3000	Fmficqpc.exe
2668	Gcpapkgp.exe
5112	Gbcakg32.exe
4548	Gimjhafg.exe
1576	Gogbdl32.exe
1956	Gcbnejem.exe
2220	Gjlfbd32.exe
1984	Gmkbnp32.exe
2844	Gcekkjcj.exe
4344	Gjocgdkg.exe
3828	Gmmocpjk.exe
884	Gpklpkio.exe
1124	Gbjhlfhb.exe
4948	Gfedle32.exe
4336	Gmoliohh.exe
64	Gcidfi32.exe
3096	Gjclbc32.exe
1352	Gmaioo32.exe
2296	Hclakimb.exe
2292	Hfjmgdlf.exe
1076	Hihicplj.exe
5048	Hmdedo32.exe
3388	Hcnnaikp.exe
448	Hfljmdjc.exe
5080	Hikfip32.exe
1268	Habnjm32.exe
3788	Hcqjfh32.exe
3064	Hfofbd32.exe
3244	Hjjbcbqj.exe
2768	Hmioonpn.exe
1216	Hpgkkioa.exe
4400	Hbeghene.exe
3696	Hippdo32.exe
1524	Haggelfd.exe
3528	Hcedaheh.exe
4568	Hjolnb32.exe
2880	Hibljoco.exe
4836	Haidklda.exe
4056	Icgqggce.exe
2848	Iffmccbi.exe
3156	Impepm32.exe
4184	Iakaql32.exe
3524	Icjmmg32.exe
3124	Ifhiib32.exe
2952	Imbaemhc.exe
2956	Ipqnahgf.exe
4020	Ifjfnb32.exe
1988	Iiibkn32.exe
4172	Iapjlk32.exe
3468	Ipckgh32.exe
2936	Ibagcc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6944	6852	WerFault.exe	245

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4084	3804	e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe	82
PID 3804 wrote to memory of 4084	3804	e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe	82
PID 3804 wrote to memory of 4084	3804	e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe	82
PID 4084 wrote to memory of 4628	4084	Fokbim32.exe	83
PID 4084 wrote to memory of 4628	4084	Fokbim32.exe	83
PID 4084 wrote to memory of 4628	4084	Fokbim32.exe	83
PID 4628 wrote to memory of 3752	4628	Fbioei32.exe	84
PID 4628 wrote to memory of 3752	4628	Fbioei32.exe	84
PID 4628 wrote to memory of 3752	4628	Fbioei32.exe	84
PID 3752 wrote to memory of 3484	3752	Ffekegon.exe	85
PID 3752 wrote to memory of 3484	3752	Ffekegon.exe	85
PID 3752 wrote to memory of 3484	3752	Ffekegon.exe	85
PID 3484 wrote to memory of 4960	3484	Fmocba32.exe	86
PID 3484 wrote to memory of 4960	3484	Fmocba32.exe	86
PID 3484 wrote to memory of 4960	3484	Fmocba32.exe	86
PID 4960 wrote to memory of 1040	4960	Fcikolnh.exe	87
PID 4960 wrote to memory of 1040	4960	Fcikolnh.exe	87
PID 4960 wrote to memory of 1040	4960	Fcikolnh.exe	87
PID 1040 wrote to memory of 4556	1040	Fbllkh32.exe	88
PID 1040 wrote to memory of 4556	1040	Fbllkh32.exe	88
PID 1040 wrote to memory of 4556	1040	Fbllkh32.exe	88
PID 4556 wrote to memory of 3912	4556	Fifdgblo.exe	89
PID 4556 wrote to memory of 3912	4556	Fifdgblo.exe	89
PID 4556 wrote to memory of 3912	4556	Fifdgblo.exe	89
PID 3912 wrote to memory of 1132	3912	Fopldmcl.exe	90
PID 3912 wrote to memory of 1132	3912	Fopldmcl.exe	90
PID 3912 wrote to memory of 1132	3912	Fopldmcl.exe	90
PID 1132 wrote to memory of 1920	1132	Ffjdqg32.exe	91
PID 1132 wrote to memory of 1920	1132	Ffjdqg32.exe	91
PID 1132 wrote to memory of 1920	1132	Ffjdqg32.exe	91
PID 1920 wrote to memory of 2244	1920	Fjepaecb.exe	92
PID 1920 wrote to memory of 2244	1920	Fjepaecb.exe	92
PID 1920 wrote to memory of 2244	1920	Fjepaecb.exe	92
PID 2244 wrote to memory of 3672	2244	Fqohnp32.exe	93
PID 2244 wrote to memory of 3672	2244	Fqohnp32.exe	93
PID 2244 wrote to memory of 3672	2244	Fqohnp32.exe	93
PID 3672 wrote to memory of 1144	3672	Fcnejk32.exe	94
PID 3672 wrote to memory of 1144	3672	Fcnejk32.exe	94
PID 3672 wrote to memory of 1144	3672	Fcnejk32.exe	94
PID 1144 wrote to memory of 3000	1144	Fjhmgeao.exe	95
PID 1144 wrote to memory of 3000	1144	Fjhmgeao.exe	95
PID 1144 wrote to memory of 3000	1144	Fjhmgeao.exe	95
PID 3000 wrote to memory of 2668	3000	Fmficqpc.exe	96
PID 3000 wrote to memory of 2668	3000	Fmficqpc.exe	96
PID 3000 wrote to memory of 2668	3000	Fmficqpc.exe	96
PID 2668 wrote to memory of 5112	2668	Gcpapkgp.exe	97
PID 2668 wrote to memory of 5112	2668	Gcpapkgp.exe	97
PID 2668 wrote to memory of 5112	2668	Gcpapkgp.exe	97
PID 5112 wrote to memory of 4548	5112	Gbcakg32.exe	98
PID 5112 wrote to memory of 4548	5112	Gbcakg32.exe	98
PID 5112 wrote to memory of 4548	5112	Gbcakg32.exe	98
PID 4548 wrote to memory of 1576	4548	Gimjhafg.exe	99
PID 4548 wrote to memory of 1576	4548	Gimjhafg.exe	99
PID 4548 wrote to memory of 1576	4548	Gimjhafg.exe	99
PID 1576 wrote to memory of 1956	1576	Gogbdl32.exe	100
PID 1576 wrote to memory of 1956	1576	Gogbdl32.exe	100
PID 1576 wrote to memory of 1956	1576	Gogbdl32.exe	100
PID 1956 wrote to memory of 2220	1956	Gcbnejem.exe	101
PID 1956 wrote to memory of 2220	1956	Gcbnejem.exe	101
PID 1956 wrote to memory of 2220	1956	Gcbnejem.exe	101
PID 2220 wrote to memory of 1984	2220	Gjlfbd32.exe	102
PID 2220 wrote to memory of 1984	2220	Gjlfbd32.exe	102
PID 2220 wrote to memory of 1984	2220	Gjlfbd32.exe	102
PID 1984 wrote to memory of 2844	1984	Gmkbnp32.exe	103

C:\Users\Admin\AppData\Local\Temp\e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e77f5c94928ad2695e9fe64bd8d95a60_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\Fokbim32.exe
  C:\Windows\system32\Fokbim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\Fbioei32.exe
    C:\Windows\system32\Fbioei32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\Ffekegon.exe
      C:\Windows\system32\Ffekegon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        23⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        24⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        34⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        47⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        49⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        52⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        55⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        56⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        57⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        60⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        63⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        66⤵
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        67⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        69⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4232
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        71⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        73⤵
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3460
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        76⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2192
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        79⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        80⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        81⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        83⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        84⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4792
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        86⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        87⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        89⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        90⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        91⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        92⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        93⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        98⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        100⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        102⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        105⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        107⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        109⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        110⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        113⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        119⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        121⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        123⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        125⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        126⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        127⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        129⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        130⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        132⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        133⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        139⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        141⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        143⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        145⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        146⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        150⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        151⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        152⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        153⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        157⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        158⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6852 -s 400
        159⤵
        Program crash
        
        PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6852 -ip 6852
1⤵
PID:6916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbioei32.exe

Filesize
64KB

MD5
77cdfb231e8e9b3ba7ec1d716308601a

SHA1
1623c11add44aca1e18c01755b5e9726fc0e7330

SHA256
44d18adb559d8dc3fd72a6bea32fb5346652fb8fe8f68bd1de09c5bbbc4f7d6f

SHA512
1540cd8afbb5ab0793a0b694741651bac679c01c035a3858360d67ddfaedd0207c35beb7f1df7c183f4fc43ede67a0f6a82fe5206697f62ebd578e97a03d7539

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
64KB

MD5
66d36945e2d3aaef3eb2808d8750939a

SHA1
24b0d7a51e9fb4fbccf736bfbc78cd30e674c810

SHA256
798b0be06c1305a605fc978e042a7bd8da5dffd92b1ed8621428e38617b6b91d

SHA512
06bc73a0f8a4fabdc8b140f0db67a86b2d9f133df062a58567826d9baf88d1f4f7a92e3096d8d61240fbca8dadb7017f2e7a68641305e464a458b93c28f67940

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
64KB

MD5
76359051cc9bb0fe07c2804d0dd98802

SHA1
03fe1c71e03085a5a874915bdd0fbbb536f8200a

SHA256
59d2cb7782f3d0752a8454889dd140c43f6464b7b20186360bb9fbc3dc85ce46

SHA512
352a2d6009b47777fc70333984fa838f2dd88bb0cfbc453876b3d2f5848df7a8a1ea4747a7f6d7e1c41644d1e7187751ba008509e993137f050995424779bde2

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
64KB

MD5
ba1f21ea3a8916c272d7d2ad163584cb

SHA1
d9b7c42660d1c79b1f87e74b46aedf7d07c3a0b5

SHA256
bce04927dcf64a776581a44a982fef9a7169f9a26b2e0e99fd587ed29f6a0eda

SHA512
9bb1de90d9a247546725405d6fbec7cf68581f1df8abec58d78754085c54e1e8ddb047dd3da5eaf67cd6f861586ea3dd5aec6ebbd564cb619f59132cefc30cd1

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
64KB

MD5
a4bb92db3e55154a0698fb5a16c6f558

SHA1
4de4fa32277944e174893260d715436c95400845

SHA256
b529f868bb20be337f3128c0d23479eb43f51b9b930a120f4b56337e2853e238

SHA512
16b037df716a70153eea69e70f7cc390fae03592401125b34f1590d775e63b83f7803eb718994b9e795b259d9bf6220d40fa7a9fef837c7bc2096c767d9ff5c3

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
64KB

MD5
6458cf39f004c4edb04a90abe804e49a

SHA1
572d4df9d0e8839bb6a4c172c9f03cec2c40071b

SHA256
e1376af93b98946b7ee644b033ab10e8e2c54459693c40e4c30ab423b91a9606

SHA512
fe31991a5a13b84d3e9822956f8fdb20bce54f82ac3118540bccf3076a8e092aab8185c2093bff20f522bdcc6a94336e143bdaf912b97fa3b9d898ee6110792f

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
64KB

MD5
93a625992664ecedbb6ae20b7c35867b

SHA1
3c1373402b732f9c7cd73fdbedc23f4672881b00

SHA256
ad56b10dd663fc0f23a7a74dab030b3710d84c8f20ce45cbdfd6f4a8d6b5b37d

SHA512
1976b709c2cd53154afc1e964f9d888268ed65471b71dc9c03faec1f6db46cc039d59234e90d78dcad10f607ad70d653744be129f9063b2f8910899b804a9ff7

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
64KB

MD5
b7f9cf576e490d063da54d209251c873

SHA1
ad48cea1211ef074fd0e31865acbeed453fa2233

SHA256
edcfa452d083a271d98ec7231d1ee24ab00caa3b5e5fa2828b668df3e6077067

SHA512
f9abbc5c7cceab3026ac8084aa29916420faad7954dfa97143deb199d45f90ae289f33a99d49d8238b88e743588c0b8691333e0d6ef5c61c9ffe507a79cc15c3

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
64KB

MD5
b78754356cc70c5842a95327ad4f10d2

SHA1
8a18b14793a3cba13df58735b9016d257846e697

SHA256
70c8644cb58bba2a7374f6bcac8369efa63675899da9eb16ae3db5f495102603

SHA512
a07c27afa96ea1b73df2559a842000ba974f44157146e1f0d12d1ca0afd90c858b9b2b87700b6282521fe30aa896354866c937e84de839a79e5af07e11c28361

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
64KB

MD5
765116b8dcda2aa504da9988d37c3d40

SHA1
520214a9982a17a37346a7c03d4efc0551f58d07

SHA256
86cb92ee9871d6bd22bc30f56bdd7bf398b017173b65aae6e8f753b4be8da675

SHA512
92ed2ec42f42324dace29f80e1e75376f22ba2e3a17550513a075d29a0d2d62a306ac3adf3159fd78a07c4df428e4406351f9c8fafcd73a3b4aba3b4131b9a57

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
64KB

MD5
177333bcb13a4fcc98dc9c9ab2c8271a

SHA1
7589bdcd15cd76330244e805d07795f825c66b99

SHA256
8b11dfefa2e2b5c1c42e8d602dd9f80ac3584e87eb7fa82ff5eb3ff74b39b248

SHA512
f17aac1ad34b214498567feedb29669135e04489fe00ac81a706f6555ecafde0098587df03c74333c8c26f7cf3a590bd0ee214a777f0662f60959201f703fc0a

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
64KB

MD5
b2a73b2dafbae30275ee962936e72b73

SHA1
10a7a8055b5b20b11ea95c324a45f8918b277acd

SHA256
1f0cd7f2f5f25382aa0851368e2f2aec827d3be59d1f80c7169c0f09fd0cbd4d

SHA512
67408fba6b9932fd36a5156ed825768d57a6112e36d4fc47bedb472e6478402a2275a8ad389b732c94e55d2d7e9c624c284c95fe71fec88430ab5b8bf6cb4922

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
64KB

MD5
40b74d2896da4c13aaa07927fca770e2

SHA1
2b92b70d084b5421817665e1a999b55b5af7f39d

SHA256
e6791be69dd4237b0b51f81ea377824272a1985c3b4998f09a56729086415fac

SHA512
15dd472a6f187c778dc47b00b4b83d1ea77901fd4ff3aebc2986c4011e636f3010bff9d161dd4482017b57e8ebae990d8934366e3487acd5bf82f80804a7a604

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
64KB

MD5
fa2e37834129c2606795eeb651073e30

SHA1
f7a7f1b49372f09852a66e0609df174287f625f1

SHA256
3e8f4d2fb414058731428521fd5162575627ab659b9982a3161041b44ff70555

SHA512
a80cfdf235f2bb4b019ab1e41188820b64ea242e9c49928d6febe4b1625c54dc597ba82d2928eab764dcbcd6eb51c10eb86edf49e711040408bbfcc633d688c4

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
64KB

MD5
945d3bc0d7672b8204065f5b937b9883

SHA1
c934256e5bd688e04203f5c5bb52f05401fd57d2

SHA256
4455032dbce403802fcccefe238c78b7798ca84a59251ca7d7ad05979e0e99e6

SHA512
cc425b7d37249882f1f71c9b21fca9449e9ea6f0557107c950cd70a6cbadf6eb25da66e5973a2285e4bac3567c9365250790e53dbd869f5efd8bb5dbda7ad9e7

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
64KB

MD5
a91c2240aae3974ec0bdd86101a46328

SHA1
2beab24b5a3797e7b6628cab441f81408a165ea8

SHA256
d452a5de8309e8b91973a8a60f313219bab7a0d0d8c6ea82b302f53303d97e7e

SHA512
575a2cd5a9fae87751e39eefb03909d652003e229f6303795ca762e32aef61faa902ce71ce6ae020a0ec13626310dbe28d024c29edaa2ede5f9fb45660605b39

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
64KB

MD5
a6ec1fa122d5195823593d6f5adf0b19

SHA1
bf04eb88ec097dc0f0e81fef0da9b331c30e6c01

SHA256
178dd8bfff0ad9c2501076e7aef3cfa926f1c59391264a91906f9ea38eece324

SHA512
cbc6cc3b202daed193ca378fc5cb4db9afdf6d45a1d6d4fd8d224631317c5aea1417737c345702eef71b77b8d54c827ac464eb3ee29a07409473d8a4d8f7598c

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
64KB

MD5
381fa662d58d373cb93b0cfb04ce3038

SHA1
cf6d877c388810596d0f023e11f68845f77957c9

SHA256
65aeb976e768255ff77d24b742b44971c9d5d00346d7a30fbd7737e569cb0708

SHA512
978e3574425d935a7dd1a2d0dee5acf26869ab034113e7c17ce43616484750ddbcb72c98153755c6eadec51eaaecbeea87fafd81c03610b4667ada85453e79f8

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
64KB

MD5
b89aa2fa65bbd7cb9f7a1eb425d514d0

SHA1
bce606083bea264e87926495428bdfadb89bbb3f

SHA256
071d5a975691ab17f5de86eb6b706811b20a375dcf613a2981e0fcf1ae536b20

SHA512
d420e8ac5e1164a38844b0986f6e9dacd4b208374de6ab3f71160dd88e1bb322795c6c517f911cb238241eb63ff85cee28a12dc2c0a099cc282789d2bd0abc09

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
64KB

MD5
76c863cdd3a1288e8a9358aa0c0533af

SHA1
d30a29f900157cc71e5239252fa9d5916798d7de

SHA256
b4bc8b480d34709019bab93abeec7c404546440ed9706d5325aeae7efaa69294

SHA512
84ee80a651629cf6c14dba8b1a3afed308d522823b8599a62fd49627730c02abdb9598b312ed7f56d0c915004e50816263f4c51902f6090a93589b654fbf1f3e

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
64KB

MD5
21357612f587ca31a8bc8a3e77e697e1

SHA1
8e2f3a08f0345fdfb15eb9446c0a911c5d12c57d

SHA256
c4cc551ebf4999c2ca7c694865564416b08c7dd5a6e5751205372b69e95f5083

SHA512
0a8545f00f38c9efc675ff36755a9c4d92e3cb922d257225148ff91899b6c3646e7bf2527d8e91d2aa7cbcfc551bd17ad1bd6a8cd42f3183bab5be0ec0bc14ca

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
64KB

MD5
507efa10751e0f1a953467565ffc0ec4

SHA1
046e388e7ae387e9d27f10ae68de92f0eceaedd7

SHA256
b3803e3e7c336b769dfed313f98134cb9720d8878dcff280f0a92c118a205084

SHA512
b7b341d97067ed546a183817cdb769fac753124f23f6707d9a78fa7b903226d0156a002b1ba346ac8827631c0eff049ac787d35e08b61a86a427aa2691e27098

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
64KB

MD5
61792310144d75047737133d90bc3c93

SHA1
a04ceb5079ec3fdf8281de6f6007d75a003440d6

SHA256
c2c4394ff16f71dfd0945a57f330d10ab0eb840dc220a3b9f06844720bb79d91

SHA512
213360d71f4d3e1b9b0e049dc02b68f4e54f94e07aba505569643b2bfd47fab982819f329c8d5d206788332720a5b790458d137bc86e35ef01325531caf901a8

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
64KB

MD5
6a9bfb683de3def59c5410a65ca7140b

SHA1
7609f734f33076f3bc3fe7ad250dcb23af425a5c

SHA256
38b4108f98eebc2caa1bff818883da6d613f84de47b74c9c57291863a1cb38f9

SHA512
b0472b50c5227fc3fb621cec38778e81eef218da6e9a20a7aad12005e5641d1f3452d9266514f4961d5c14bff01c16535e6287b1de7f34a123e3452d1b83c979

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
64KB

MD5
884873cbe9d11c39029a59194d3aa401

SHA1
e30ba5ddb5793bf55048115efd28ede167632255

SHA256
e32638f2214aa46e9b83804a1836356feeb098acab7c6ee445772d78a46ea54b

SHA512
0c6ce5694370691f3bf16cd12072177e2c585fd7dc29742b1e327570141fde71bc22db27c268f2a8b7c63db19cbcde2fb1072a5b706a636a1f70969d23a0ad57

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
64KB

MD5
456a1235c8b875fb9647bab8e23a778b

SHA1
d6a97c19018e966b1bb9df36e06d1b7f8fcbeb72

SHA256
bfaa76663a5825c56702f577cc5e04e77dbcdf2b46ba39f83d6e7462fc7b0a85

SHA512
13960dc41172fad66d082ffcbf2e89c15c83296caefb9f4ba0c652bc44a6987e9712554e2672dbf7f58b7d30e55e69b9a24d31dd51f40ebcc35fb14902f586f4

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
64KB

MD5
6268eb95b7448f1dc12562c7b7c87f67

SHA1
538838f4d91ebfee54abb4e17dc5d43a7dad5e18

SHA256
ca4791d81617ab38860fa4366ff6e723bb34f2a577bf0012572b611347b461aa

SHA512
bafaf56af4d704c9036e0ce1f45f4878dfbf27e6d6a82ce82e3575895e6d3c468a2b2b0b3cf91be3592857f3de28b52a2616a944d34bf5aa2a2e881e8430f331

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
64KB

MD5
ee9cea3609a68232f4451c901a021b9d

SHA1
de18a6f6e876488f701251a585135a1f11691e13

SHA256
805ae0122842fe8ba4ef0a21db1b4f9bbce6338a32e376154197da2aad4ab79d

SHA512
36dbb63554b68f987d61098e00e0646aeed2dd31c2fbfddd8658c06cafa298f02d48d88a09c1f57b4fe8fbc159ee7792c40b1c77f32c88fedf49e44f6ac2d261

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
64KB

MD5
0ce3213a7eeb7c0c69588a9c0cc22802

SHA1
3fcd929e9f98a6c9a719f84a89897352e365b6df

SHA256
31da01006c5166d98073aabad7970f28f347118032a5e69f18bb5bccb31e804d

SHA512
cd4efbf6424adb4b37ea2f5a8c1aa94059983f11faee6d6a84be89f2cfc9ae0ee16b1e5f418c52ba4b12fb7760c4b30f3c2778f6134445bad76ab7e949168b0d

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
64KB

MD5
08f6d33df6fbe3dd8a027d49247bdecc

SHA1
4e8e62e7dcaa72a730e7a154e605ab2dff3ae4b9

SHA256
1a958d5b3021ff1d5ee63c615fc27d98047facf26dfbc6d25da24515da7533aa

SHA512
a36f50118015dfd2db56fab549cbac4bd5e4031884f949fe9281751da59abd9c3b6c8ec5d87398434c92810827ba78273b3e4207cb59970acb07e5c65a3e6f00

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
64KB

MD5
bc4fddf1e5c61e782c9ebe5f5b3eb1ac

SHA1
1169b6ea43a3dfb6c55edaa931e47f8d2273c9fd

SHA256
20a89c54837384d09727769625d94e8268cc2a3df448bddcd04e7df9adb0a481

SHA512
0212dadd596683c724c162333aab3fca181d31437a345075fd1fbdedbe2386eae3ae48e41aa3bf2bc451b617c000d37670c6788f183f19e3dd0ecb313f41ed0a

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
64KB

MD5
30aa15c8741b3ada846e34b18086be2f

SHA1
072c8005805eedfb606d1919dd0f1e86758107e6

SHA256
807a2fba8556976242c1654592460fa783a6ef04b318433a6f8d90eab9551524

SHA512
d9565a8767eb0b695818cdbd4a577be6b70c47b4218c403602b92e6cd53f97b650e915633e6d630f8034caa9130e0ebdaba25a64b83733b0f5f70d09e2f4900c

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
64KB

MD5
cef23f85db41072327fa348e1311cf6c

SHA1
e2569404d1b3b9dc685f26d2a5346b61454e6a2e

SHA256
0fce7dfccc67fd5c6a9dcb7a27dc22d5df9e6621028e4318fe6ba329c45aa863

SHA512
f16eb6700e593b91ed86638bc9abe3fca15cc96385e88b693292a335db37c6f57ec46bba64480f682c24d97f46e61aeda088187343ff176d9a207a0b41bcf8fb

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
64KB

MD5
747ccdd10901b0f65ad9d2140d54837e

SHA1
c72b8f70b29d85df762a7cab9730d4667f8078b7

SHA256
9bc8c533d419ffc09b5709a7f84e138494fc8dc1562cdba7619ff7eb8d11b700

SHA512
0b05727fab1cbb3870ed63b37733e373a5fb2e12627270a45fcafd2f9d10c047ca6868ec0a00a22749fda304168b8f2645bc81ab9548b4f04ceea689df5c85e6

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
64KB

MD5
453773f9ff536d1e16a3a600bd34aa5a

SHA1
37b60e0228d6d3a16945a0f0cc6555430d11e13c

SHA256
10bc6b4958b9e1ffda2f87dbddfc3640a377f1802d852728609193c7052b07f7

SHA512
7a0e6e0fd6661bcb56940b3f3d68d118fee7a1c586150e3695da12df2b6a7fb6c609ef137275b9f1d74479194e054a6991e4ec36bac95ae18bddf6a30251d671

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
64KB

MD5
11d77399bb11afaeb714027a938426eb

SHA1
4cb2442a94d2de41eddf358c754edc43680c8cc7

SHA256
ebf1bed34fb1272b16eb058fee736c43a64a87a0d7216f8614d0d7b563db3615

SHA512
0012bc49acdf6a6b15ac6793198dca6599b11395bbf69d692ee56af942061a804ab1cdb903631ff947cb222b1c786b097a2f3b2ef304056cf8e61f4e0bac7f50

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
64KB

MD5
cf13643645c205904ccf046f73f02d18

SHA1
dc3519d552998810563af6fef5f935f033a200bb

SHA256
f80f12dbaf55f88fd6c508f66242fbc6e3b3a48fe062725d94771b82b9cae102

SHA512
c3e58d481ba4b96e7d728b92367cdb3a9f135f7bf42a2531ad604fd179d5fb94c576af25f5272ea3a07feb120275a0ff4d6cd5a52790bc67589bbce67fc44587

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
64KB

MD5
5aacee0a9bb158ee90e1b08cdb8047c0

SHA1
b2484c194991bee6d22ac8bf3f058679647eec38

SHA256
f0ae7a91c755237ab7cd4f270761682b5206976b8ba14a870aec2ea0c74ece17

SHA512
97ce18ae8bbca0abd4d8abd5ad075648315edaa9f9c60b29199f9d6a216137983a8b3005014162bad9d4c6d6534937cd86783482d7115ff1156768f223085fa0

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
64KB

MD5
f9fc2c7f256752106a03454af8a6e682

SHA1
24bfc9dff6310c75801c8f6e8ae0cd185e5bb03d

SHA256
d8f3528b939f8f4953bdf967232754c99fafe0d0c8a08c550fe4409b1091e8f7

SHA512
dcc36700172103dc10b94d6b2e5c8841bcaa551c205f4b7fc33f4781c503dc8a9fbebf655eb0ef5ba6a781816d7eaa18f4deb5d3c4d2babe5f6958cada6c93b2

Download Submit
memory/64-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads