8e45c5235ab5aa651d41905101603c8c4c2496c75d3b44e58bfb68626207586b

Analysis

max time kernel
136s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe
Size

71KB
MD5

4a9ba16ac6c48aab1ecb0a09e73cda50
SHA1

5cca7b1b652e72fc0642820d014f47b23dd7cb7f
SHA256

8e45c5235ab5aa651d41905101603c8c4c2496c75d3b44e58bfb68626207586b
SHA512

4947bc34074401760abd5a827479c966821f793c1dd6568ee838772deccb1e82f680d72a30548d9f804f9bfc7415ffb6c3e0d3f3fa445b81a44222a657e0cec5
SSDEEP

1536:COE76DoDswq6nYk1MzBMfTzhDLAwFQ6zFApEsZZZZZZZZRQ3K1P+ATT:COK6ITnD1MmffhDLvQRZZZZZZZZeqP+c

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe

Executes dropped EXE 64 IoCs

pid	Process
2920	Ffekegon.exe
5108	Fmocba32.exe
4004	Fqkocpod.exe
3456	Fbllkh32.exe
3800	Fmapha32.exe
3820	Fopldmcl.exe
1272	Fbnhphbp.exe
400	Fihqmb32.exe
2936	Fobiilai.exe
2848	Fbqefhpm.exe
1360	Fijmbb32.exe
624	Fqaeco32.exe
872	Gbcakg32.exe
932	Gimjhafg.exe
3516	Gqdbiofi.exe
2044	Gbenqg32.exe
4492	Gjlfbd32.exe
1608	Giofnacd.exe
1620	Gqfooodg.exe
4756	Gfcgge32.exe
2080	Giacca32.exe
5092	Gpklpkio.exe
1884	Gbjhlfhb.exe
2420	Gmoliohh.exe
3680	Gqkhjn32.exe
3880	Gbldaffp.exe
3296	Gjclbc32.exe
5008	Gmaioo32.exe
3444	Gppekj32.exe
1348	Hboagf32.exe
2316	Hihicplj.exe
4352	Hapaemll.exe
4256	Hpbaqj32.exe
4020	Hjhfnccl.exe
3044	Hikfip32.exe
976	Hpenfjad.exe
740	Hbckbepg.exe
384	Hjjbcbqj.exe
1252	Hmioonpn.exe
3336	Hccglh32.exe
2588	Hfachc32.exe
664	Hippdo32.exe
4056	Haggelfd.exe
1628	Hbhdmd32.exe
2700	Hibljoco.exe
2876	Ipldfi32.exe
2056	Ibjqcd32.exe
1428	Ijaida32.exe
4524	Iakaql32.exe
3736	Icjmmg32.exe
2244	Ifhiib32.exe
1792	Iiffen32.exe
1876	Ipqnahgf.exe
4072	Ifjfnb32.exe
4380	Ijfboafl.exe
4540	Imdnklfp.exe
2040	Ipckgh32.exe
2332	Ifmcdblq.exe
3124	Iikopmkd.exe
3972	Iabgaklg.exe
4780	Ibccic32.exe
1668	Ijkljp32.exe
4512	Imihfl32.exe
1984	Jdcpcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Fmapha32.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Ffekegon.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6584	6496	WerFault.exe	237

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2920	1308	4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe	82
PID 1308 wrote to memory of 2920	1308	4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe	82
PID 1308 wrote to memory of 2920	1308	4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe	82
PID 2920 wrote to memory of 5108	2920	Ffekegon.exe	83
PID 2920 wrote to memory of 5108	2920	Ffekegon.exe	83
PID 2920 wrote to memory of 5108	2920	Ffekegon.exe	83
PID 5108 wrote to memory of 4004	5108	Fmocba32.exe	84
PID 5108 wrote to memory of 4004	5108	Fmocba32.exe	84
PID 5108 wrote to memory of 4004	5108	Fmocba32.exe	84
PID 4004 wrote to memory of 3456	4004	Fqkocpod.exe	85
PID 4004 wrote to memory of 3456	4004	Fqkocpod.exe	85
PID 4004 wrote to memory of 3456	4004	Fqkocpod.exe	85
PID 3456 wrote to memory of 3800	3456	Fbllkh32.exe	86
PID 3456 wrote to memory of 3800	3456	Fbllkh32.exe	86
PID 3456 wrote to memory of 3800	3456	Fbllkh32.exe	86
PID 3800 wrote to memory of 3820	3800	Fmapha32.exe	87
PID 3800 wrote to memory of 3820	3800	Fmapha32.exe	87
PID 3800 wrote to memory of 3820	3800	Fmapha32.exe	87
PID 3820 wrote to memory of 1272	3820	Fopldmcl.exe	89
PID 3820 wrote to memory of 1272	3820	Fopldmcl.exe	89
PID 3820 wrote to memory of 1272	3820	Fopldmcl.exe	89
PID 1272 wrote to memory of 400	1272	Fbnhphbp.exe	90
PID 1272 wrote to memory of 400	1272	Fbnhphbp.exe	90
PID 1272 wrote to memory of 400	1272	Fbnhphbp.exe	90
PID 400 wrote to memory of 2936	400	Fihqmb32.exe	91
PID 400 wrote to memory of 2936	400	Fihqmb32.exe	91
PID 400 wrote to memory of 2936	400	Fihqmb32.exe	91
PID 2936 wrote to memory of 2848	2936	Fobiilai.exe	92
PID 2936 wrote to memory of 2848	2936	Fobiilai.exe	92
PID 2936 wrote to memory of 2848	2936	Fobiilai.exe	92
PID 2848 wrote to memory of 1360	2848	Fbqefhpm.exe	93
PID 2848 wrote to memory of 1360	2848	Fbqefhpm.exe	93
PID 2848 wrote to memory of 1360	2848	Fbqefhpm.exe	93
PID 1360 wrote to memory of 624	1360	Fijmbb32.exe	94
PID 1360 wrote to memory of 624	1360	Fijmbb32.exe	94
PID 1360 wrote to memory of 624	1360	Fijmbb32.exe	94
PID 624 wrote to memory of 872	624	Fqaeco32.exe	95
PID 624 wrote to memory of 872	624	Fqaeco32.exe	95
PID 624 wrote to memory of 872	624	Fqaeco32.exe	95
PID 872 wrote to memory of 932	872	Gbcakg32.exe	96
PID 872 wrote to memory of 932	872	Gbcakg32.exe	96
PID 872 wrote to memory of 932	872	Gbcakg32.exe	96
PID 932 wrote to memory of 3516	932	Gimjhafg.exe	97
PID 932 wrote to memory of 3516	932	Gimjhafg.exe	97
PID 932 wrote to memory of 3516	932	Gimjhafg.exe	97
PID 3516 wrote to memory of 2044	3516	Gqdbiofi.exe	98
PID 3516 wrote to memory of 2044	3516	Gqdbiofi.exe	98
PID 3516 wrote to memory of 2044	3516	Gqdbiofi.exe	98
PID 2044 wrote to memory of 4492	2044	Gbenqg32.exe	99
PID 2044 wrote to memory of 4492	2044	Gbenqg32.exe	99
PID 2044 wrote to memory of 4492	2044	Gbenqg32.exe	99
PID 4492 wrote to memory of 1608	4492	Gjlfbd32.exe	101
PID 4492 wrote to memory of 1608	4492	Gjlfbd32.exe	101
PID 4492 wrote to memory of 1608	4492	Gjlfbd32.exe	101
PID 1608 wrote to memory of 1620	1608	Giofnacd.exe	102
PID 1608 wrote to memory of 1620	1608	Giofnacd.exe	102
PID 1608 wrote to memory of 1620	1608	Giofnacd.exe	102
PID 1620 wrote to memory of 4756	1620	Gqfooodg.exe	103
PID 1620 wrote to memory of 4756	1620	Gqfooodg.exe	103
PID 1620 wrote to memory of 4756	1620	Gqfooodg.exe	103
PID 4756 wrote to memory of 2080	4756	Gfcgge32.exe	104
PID 4756 wrote to memory of 2080	4756	Gfcgge32.exe	104
PID 4756 wrote to memory of 2080	4756	Gfcgge32.exe	104
PID 2080 wrote to memory of 5092	2080	Giacca32.exe	105

C:\Users\Admin\AppData\Local\Temp\4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a9ba16ac6c48aab1ecb0a09e73cda50_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\Ffekegon.exe
  C:\Windows\system32\Ffekegon.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Fmocba32.exe
    C:\Windows\system32\Fmocba32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\Fqkocpod.exe
      C:\Windows\system32\Fqkocpod.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        31⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        32⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        33⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        34⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        36⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        43⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        49⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        53⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        58⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        59⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        66⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        67⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        69⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3064
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        72⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1100
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        74⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        76⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        79⤵
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:912
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        83⤵
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        86⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        87⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        89⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        90⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        92⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        94⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        96⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        98⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        105⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        106⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        108⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        110⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        111⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        114⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        115⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        117⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        118⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        120⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1648
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        124⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        125⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        127⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        128⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        129⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        132⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        133⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        134⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        135⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        140⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        142⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        143⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        145⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        146⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 412
        150⤵
        Program crash
        
        PID:6584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6496 -ip 6496
1⤵
PID:6560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cmddeh32.dll

Filesize
7KB

MD5
1bd97359f3b592713515b6dda110b536

SHA1
55d5eb9571066bbb90e9817f4ab74703537f0a91

SHA256
d1e7d2c50387abfe55d362158b3ce34ca7e0d03d853e49792539ad9079c6712c

SHA512
22b55429af295b35c435eba05cf52aa0e1c7914e1afe538f9339db18e2a9e17efb074506a906beaf242afc066ba9f7732afcab9000ce22eec708fa754e749682

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
71KB

MD5
2401e7d7b3cf5fc64fd2aaf93988bcde

SHA1
4e6a849510c6f70323b7a4c540cdc6933babeb71

SHA256
cd18734f66104b5a667c45fbaabd62c8c25f530c026d843e2dabc978b1e2ac67

SHA512
25e9b5b96391dd3fd07a0f6a88db6504e71032090ab5d96211d57d1ba72a022445d3c6479e3c80dd810bae35f575ea97129e6ff33d524557276bae559302eb16

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
71KB

MD5
8fecf24b4d6d2e7475c766315079a304

SHA1
021192023531f7301512560b5cb7c0688909f06e

SHA256
7ea54742bc0fcfe5f58fa25477b189c8f34f2122d634f08956b4597399a3483a

SHA512
596a2431ec768cd8f82174669f20af8c55f14c4a215e47fc9df597cce5c70d824ea1f8906c8ea87f50dc1c15fee67f1cb47889a244aea634fce1d2e79550064a

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
71KB

MD5
7e17b50f9e313ed167d178562bf01733

SHA1
f74627d94378d4acdd1c6a831eccb05c31e1c513

SHA256
a9ce5861f2932e83c61881ed71c9b4e98727917f630a9a899ceab71a81e49a0f

SHA512
89fb9a2ba4876f98b7747de4846880932bc3507e7887577c7f82a4d26c4c3799b4a738e8d0c90e045c6f8c2800a204a23b3398f98c15bb1e4115727be8bdff80

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
71KB

MD5
13c695a0779bc276bae692ea0447442b

SHA1
975bd2ab2e5fbe764ebc0a1d1f333dd6c40fcede

SHA256
7d871bd38f535d80e353355fa8a870e788153212a9912a2ef78cf694e0981327

SHA512
bfe6e08e7706b8e5464461f75b5d309232fd238fd59b051f1763d75389dac26a4f4736c8f38578799635c78c4e418d5dd6b3f463bd71341f2412a7c605c2822e

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
71KB

MD5
da0ca2aa952772c61b03352fe2ae40d9

SHA1
e2696a486230e8f0ff886ed231d5484c02a2c1f0

SHA256
389727d0f547d74bcabbe9a32974b47949660d04a7ad4e98c19b81ffbee8bc0a

SHA512
deaa6e049ef7b9bcdff2f48f4cad2212c2d2901d5326656870b29b110278104fa55ea87c3426636777989b2493912b74c71f08b9c0996638a0e2d7f057683f62

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
71KB

MD5
1172a36d2294bdeb24ea75f1686a7552

SHA1
2f4c87947e9ed9e6906fa1a2bf6c8ffb1262464f

SHA256
52a4090d965f74bb7c010a989ace33b7be61428566dec1289931b63510a15ba6

SHA512
8c1f8ecaee42c03f6ce06942ecac20948072697b1495082ab1f336e6018347da33307259e1aea04c6e8933b71bd4a6ef77146a8680e09b6a3c9a8e5c5ac65fb4

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
71KB

MD5
c7805c74712f3cd38a6fe6155f6cba19

SHA1
739bf22bb8be1c43a2c23b6e644c42356a0a88a8

SHA256
437b73cafe8b6921987e82d49ccb8dc5e12fe20db3f1023b0ed69c80b66788a4

SHA512
9fc670e3dd9081d61b9854106bce5b2cb3c5ceda912cbb98fa5a190fcbef56b527b7b805d072511a92ed320cd76b4bcd69b15032f24d532e167201ed2e474ca6

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
71KB

MD5
aadde849ce7c3a0de89891d87a3dccc7

SHA1
b46306da77abce4d4b8f7d85f53a8a1733727609

SHA256
0523b7df7a03bec5657b85e034f15e875406583ea2abf5b8346a3f5397fd47d6

SHA512
75cde945399eae380efe694b3c3749d903ae02ba5017dcb594f6feeffcb215a167101eaab089841daaad25da2440644ccb6077f5082e1c3228fd661f75197b3e

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
71KB

MD5
4d219ca1b6b59230369bcdd88eb8c09a

SHA1
0d37b58cdc2af7edd3dc476c27cf38822308a091

SHA256
4224473d19185a83d7da85a3e19f9b10431b4bcad4aab2269211b281a3c6b830

SHA512
1232d8d4bfc46126807ed0054866933b962b35f6788d91b77bd753797f9baeb9f2cfc0cc6ead4881fa87c60ee0ff1102bdc820650ff4d06589a36e3ff23e97f6

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
71KB

MD5
e1311b6efe9767dabbdf446ad76968bc

SHA1
b5b913caef47a1845d7161935386051e0a75ec44

SHA256
b7ef3d12f884a7e3233312662d11d2dc85bbbbaf0d01982872a160e0eb9585fc

SHA512
669fbe6106fd50cf9cd9057f39ddbc9398ba4c19138164794e638a39b52325b1c6d5c7e73886379241a04f89ac224b260157189c43eaa39a4fd6b4c5000b3954

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
71KB

MD5
b4be610ec78b2967929701617b1e4cbb

SHA1
5dfa013beed5000b7a3420e3b7992fa293ca3796

SHA256
7eae3856dcfc8ef92d3a78462d8f570193ab10298937df54eaf2f6ffdfcc4a1d

SHA512
ac61ba90f5fbe2559f03448212706b5ff4187c7d80319a134d0d8bb3f2594469ede5e45349532b9fec06ad58d05ba1cb6364d70f03338b02b7f17aeac4663f3b

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
71KB

MD5
236069eac5f835a64671c2457c6f9f89

SHA1
6feeed3d131f46674650d1e46f28b1e53ff98681

SHA256
dfb33778ebbbdffb77cfcab974b76a241bc2d0755decc9b4ea4d6892f665a54d

SHA512
6e880cbfdaee58f0f700425c9872c0c1fd2d5308f263e4f04a8a96adfc95d5f76aedbb88adad35ba379c0f269f7e98aaa330b708d00ed990bfe95043835c7d51

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
71KB

MD5
d8e760e12168265bfca902315384bd9c

SHA1
4b7fa0a65ff7ed2a2652c3b4b8d528a1ee2cb795

SHA256
eb1c09dea9dd6fc71e7f663c52bf7f809c1d4a41010000610debda3f86e87c77

SHA512
87fe3c05e4f8cf3f35058cc160e967a816c548949837978df0cc5c45668b63dc146772d52b171857e59b0b1bfe1143dabaa5f95e6fadb9091115b3c15cfd1965

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
71KB

MD5
bf5ef7fbc81d90696578885f60dea8ed

SHA1
7c424eed6523b6dfcf68019a76ac29bd2e824180

SHA256
06965f88fa94500c52da592e864c600dbc0a331c059b922af219f27eaeddec6b

SHA512
9d2a24cf19e04450b45d3a55a0431d9ea78c092cf45d41ea01180ceb3d172b4af063837892c8d29cef54ee2a39b522ec9c2d122f8b1ce283264eb915ceec5e5d

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
71KB

MD5
af1ce4debfac41ef75cabca78d829686

SHA1
b8523f7cff767ccc737afe092aea5d4940a3b4b8

SHA256
3b60f1f1b6e2057433cc3affefcfc8d090137424cff517a54a5985531eddfd7d

SHA512
72fa0e851a8f8d3d90e6cc3e22a7292d7adff081c30dffb7f06ee020365dc2d93f9c63148aeb1e825dd0a7ba433acf60b2dc26dcc4acf1ae75df0dee03c37be4

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
71KB

MD5
ae1947529ceb857f16156f3c08fad5a6

SHA1
cdafe3bda598475fda5290a1231e493c3e5f2333

SHA256
c86d462c8e79c879427a0f070362ed52e599004e152e516600433fc5a74c9113

SHA512
d3341c90b630bf4dab7fb91a314e7392ed2fba3bf0eb76f612ad069799907eaeaf7a5f81f00e92a373e09d1efd531df33195404da79a4c7f4743dc79252ec401

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
71KB

MD5
d51bfc5c59607bd66ef30163094bbaf8

SHA1
4ef89a53919a7840c28833919d5db94d2dd0f162

SHA256
042159b8081c66784b2705e79cf4265b5c23fef9dd6c5ab8a189c49041ed6c03

SHA512
464179a0219999646e9378dc10220449815317e1770a494aa442ca411d9a061ca0b3a41b7b4459587141304adcddbea5d574af3a6ce30ebbe04cc283f06de002

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
71KB

MD5
ed3317e98d5467f0c5dd91f96e4ac46c

SHA1
957de28595f0daaa1253c3d2fad33cbce459995c

SHA256
3589fed742beaff0224f9a7380e2fe27d014cbde40c4cfaffa27841979b8a642

SHA512
d966e2e91d2fc6e7a599943d794b34129f650094b2976e9b5d17d7e6f9bfea03786096f1063775e69e3bdccdf4e2e1957a47125d79e9e2738e420f2f8ef77ead

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
71KB

MD5
8b78a65d8d00480a970a2a303fb75503

SHA1
ef2a13ff951b0cc658426301c942c64f69046548

SHA256
0f8aafcd31ddbcea2560bd99f1d7ef9b10159bfc8864a81df0279290e916de71

SHA512
c0baaa2c83c71282c046380296eebbae5bef381e54267a2439adbea46f35ca1404c8ebd6d949ce799c4a4b6a35f1e67899e0332c4530d9d5ead80fcf369b3cc6

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
71KB

MD5
38f1041121eb9aed2461004b52358c28

SHA1
d870b92edd90d53e6078dabcda5bcf599addb746

SHA256
8fe2ed37d274703f31e5656d064d1e4d3335723bc5744ded3fd2d3e7c7c36ad8

SHA512
b43ecbdb10ba6b250ad9914f13ab4d6f4c2b308817fd14dea6413416b2fa9f4151c13bfc7bd9f5db4aecac0a8c153804b124b7bed3d93b0956f43483768751e2

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
71KB

MD5
764d740a13051bc0e2621d3ff752d1d9

SHA1
00ac8d8a1a2263e21aa722d6dc5e3251ed5fe5be

SHA256
2b4cb1e8cdc49aa1d3ba86b7a451fb244fd84860939e738c35118fccab0606db

SHA512
15e5a9d9a164eb0a0d9ad5396f3f3a603f313dd512b3a834da1958f950c0a71739145f500a87260242391087100d8d5eece9547ccfa56cbdceb8037c90bfbc9f

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
71KB

MD5
3634980aa197f2b181c6be3a5348b925

SHA1
1d043f422061a4eea59a54d0d7f469c18f49d309

SHA256
7c292103576927135ccea4bb7859f0ea503c6de1d2388bd956209f149a49c6eb

SHA512
3af18bd07c32445273b7689bfbf157cc6aa8f98535bcf918a7de037c2d5d47e5e5560db1721ef216b69538121421517f78452c6080306c251e44e58d322405fa

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
71KB

MD5
75f252a494f17fd0cb8928c6f847f8a4

SHA1
ec9ffb50ba25fe4224b568df6fd9356a0e8f2dd8

SHA256
aff4dd8c31f037710505b1204f616c752175a8027265fe69aac47dfa71ac8b8a

SHA512
bad04797027a988b4bc5a1f2ea98a76b28a201a6e8f4260274139e26123a92eef64af8d96e4e25cbf3c5e957704f2793fef20c1eaed9f023ec6d7c1588ebd00e

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
71KB

MD5
9f285e474e4439e55cd844009cb7de48

SHA1
33599cc36c5ebd820dc37c802a1b80bae160b0f5

SHA256
d562debf2df180636a3556274bc721e0a4fe37a675a8c88484f2f996bb9315e6

SHA512
cdecb49fd618d0a624653579b1dba35231f8a6e4b9036e1dc3c30e4a05acdeb4bd8c40d01a7145e86b61596e560b66408b8133a64a45b5c042785f58d2bc3216

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
71KB

MD5
706f0dfe872b67ca509f812795c00f13

SHA1
c9b90194e599d9eeb2a86dafee312e75f41678ff

SHA256
ae5731180656051a4192409515344820ff5262b030584928c60b389b211b6109

SHA512
7b42df912f7ef11a60150f7af1c855aca077fef3915a847e5a3f912bc8023eb13850e8cb266f808e71365524dd0554b4a3e8502e4672e378c48c0286e90d1a30

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
71KB

MD5
ca8223f7fa3b1b49bb0c65583f59ebad

SHA1
30a75d0f55df9ab10fbeea04f09a14347f4bb8ef

SHA256
31597d03b53ea79b16435036a014ee06c8c277440279279b8574b308a0d9c9e1

SHA512
4391db052344d09f0c4d23dc9cddecc56ab9e4c964b1b14f45f2f06ec6f31f4725583ace3f4777c271c4b5cb1a680c6931ef7411e44a5412405555a970372f74

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
71KB

MD5
fe6d046ad77cd7214daec2dde6a85546

SHA1
a4d4ce16e89326fa6ced2a9c1f1fe2a9d885345a

SHA256
5c32fff5b502307ff95826f24f78ca15aa8f7d85d6a08131db46a867384c5d58

SHA512
92ba6290b98c70a2dd1098f6f971e6aced54838feb0e4c98e198838674a9426936af632e78137b87dfb801d96b8b232ff4488f79cc5401ee1c817c2cc5bbc7ec

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
71KB

MD5
a0dc7a219200120945bed95434624b9b

SHA1
a421f2575c376ceff948198d41f8434a41253061

SHA256
97922851545c2f2d2c0e54e31e5839504641f44e9ba933b3c23729453bba0155

SHA512
d203186de40d17efbf54b39491e9669aea61e17804b24deb9e954e9e185cac969172b4e22c8ebc25b6193acf18b668fc2031a3394b91508ed4f1b88c269ea287

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
71KB

MD5
9db07dda474dd5de0f15fb564fad7512

SHA1
7fd433e8f034334c2b8a3743d7f401dc90e33d19

SHA256
13fb105b08ee21da67ddcd040b6dcb055ab85fa6d412f1742afb0c1b3a178f3e

SHA512
b105651980494fc8fa07d253f11f3ab6f13411d1f3ac7d0449fb30ab53fe2cb225430a2d7595b36284d1de12b69a81f653ce7b74d478b56ea8a06eeea9863198

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
71KB

MD5
20564eca02a67eb97819af0b6d67a335

SHA1
170363722ed2562ce0dc92a22ef1ee29a6e678ee

SHA256
624221cc8bd964c979f226193aaeeb412602fb33a7cff9665a975b5499a58e40

SHA512
9045a934a88ccd3a35846aa85123df79cf55e34d0a3db06d9d13ad3dc3251b44b21275256155b42948de1757d0c52fbbcecd9d0affa929acbf945f655c467749

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
71KB

MD5
8238c729c1bc5b9574d7e00ff7f55203

SHA1
b262045b0e00919d9e65f9193568e3c19c04dbf2

SHA256
37eb0da0d8124534cc52d9f4a232c77fabf9e05b88199630959c6d549fe42a92

SHA512
018dcefdcbedb9dd2162cb7693dcf7842cbb4eadc6caeceabdb1cd2f5a888a5912d3c12631cc8927afb2ba734e8f12db558fda8c367a116d9d7ff8e14fd43dac

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
71KB

MD5
f7370b4c90e93d6b0e9ad2fc72bb77aa

SHA1
1695535321108b65d714a23e0ecbd075970ba2e5

SHA256
f43c207ef481d9416e42611c48127e3329fba54ecf55fbdf14a68494d9c084e1

SHA512
04fcb1913648907f6b48ece47feb91ce6ce87134f35f10854d312ab8a72fea5e7c1604be239644e8122063996afeaf263b7a55007b00d1053cfd04b857ad6073

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
71KB

MD5
fa6bda2ab01be39db8ad30cec82c904c

SHA1
f43323703eb053ab8d980f2308d807df9f47851b

SHA256
22190cc83045808fd59525a924c64d3fa912cfbd11567767a08ac2abe4fdd97e

SHA512
0e510e92b46ea5bfc9e3e901d8e657d4659cda23dd9b6996b13f8c817b29c3a5b025ce7e954f87f55aa4a775f9580be523b86b73c73a1fcdb5c2060a5b7b8715

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
71KB

MD5
7e3e8eebb0377af374047d162cc38655

SHA1
b4ded9a839d8459bdd44bb4c306c4dace6e3d1be

SHA256
4a23ee5004d3b57971073d004e2c4c2349dfd46a55b48e8373c54363f2550ce2

SHA512
adb2c033a8ed3b40e88d611eb883f319b527a1fcc2208b7e6ccef8e57a0ad349ea3b2fa75423412438d8cf733bce3d6c8af2c29e7340ec0163bc86ff3c30286e

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
71KB

MD5
3f959be1813b6f49a2bde5dee7fde183

SHA1
ceadbace7c1c24321d8b387f1eaba9218b0ce529

SHA256
04f8b4828c76725e757d3acb6eb76114faa68f09a96d8a0c9e20951bb4addd64

SHA512
e14dc6875142b6b33df0a87b4513e5195650f8eca1f9abcd61aa27faa21930c399dcfc44fa1a3f3925d36e969da114512eadf337e4e1b8ee546755e9478747ef

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
71KB

MD5
f2348bfa979478515b7d7f61e1d854ec

SHA1
eeb518cabd03f18a9c070de1a0a796ecd9ece4ce

SHA256
b12deb229c8b2281992686a90aede5e4ddfa659568c569f35500e69b4f300677

SHA512
0573cf539d70d4ce61d54dd622dadb25ec2787cb3b4134e67eb55da8e607725b4a1769b3b20d424cf9e78282051223bc252d21e365279946fbb028f8627f681e

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
71KB

MD5
bad84c38906c91075a2f1bdb656618ce

SHA1
2f6eac362d47057b9eaa59c59443f438e61d2a12

SHA256
92eed3ed894ba81cce5efdad91b9c322b10a62f71ee60085e7f2881d2450f606

SHA512
45186c00c6893e57f80474037ef26a7e3d675f8f605955c2a1f40092af3cab46ca4da2f742e291883eb34581dc99c2355662b27894fcbe0ab9c66d49e3cb5557

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
71KB

MD5
2e4629c86e4ecfcc7174328d0ca61408

SHA1
23ed41f67e66eda0a7865cae30977a0776e5dfea

SHA256
00595a8d58da26c213dac6205195396afbc15fe5c31ceaa68045f14d6dccb02e

SHA512
662921632f0566fb864f79ee6afacb5dfe4ef943c5d3bd20ef475831c1b11aeef68a0f93c72a3f18309cd75dc0cfc550fcca26d96c0f6cc9d9d3e6711cf2b657

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
71KB

MD5
44a54fb3cbfa7ee1d485a7d0dc4e9c61

SHA1
6362786a753e1c9ce73a95a9e5204cf7489da162

SHA256
94caf038890c3478a24c08ff07d67b3d9a0134380f9e25b7a592c216e4eb91ea

SHA512
68386f3b30a83268e7c6c02cf20645282b4a5332d4534676f27438cd30eed5a78e9caff8ea5a7c0e2a40fc2489230f1d9059adcfb7df33726277130ba2f3f8ed

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
71KB

MD5
f7ab520b47dd3885884e020869a28ce7

SHA1
f6b5817f9b051ba94c7d7a363718d63144feeac4

SHA256
c9d42588819cc6f9db0bb8060d56e118c9cb49d4c60daefb55494151821fcc92

SHA512
72916e05a6b7cbcacb313d2ea2aee8c0dc3c7711873dd9a6affbb5439f746a7ded4dc1462842fd58bcfed70fbe1f66b645227123f74191bf1291b5d230853a63

Download Submit
memory/8-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5200-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6152-1023-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads