4d48c4571db7fc35ebd927ee6eee53dbc23cfe6983cf8b8a3d8c3f5d9e1f83a2

Analysis

max time kernel
93s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 09:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe
Size

264KB
MD5

4e5294e75887a0195f82853ebe9a9680
SHA1

2167ca60e59173685e5d162c6f4b681c3f472cf3
SHA256

4d48c4571db7fc35ebd927ee6eee53dbc23cfe6983cf8b8a3d8c3f5d9e1f83a2
SHA512

466cb00d6f2b7e08b3a41152164906884919fd8d92ed9f2467e76b5c0567e3c6e2e8a7697091de9de3baed0a78cdd200f6bd6155d7542e3e3cc56bb8056f960b
SSDEEP

3072:fASbG4gp3Z24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lFDrFA:fXGnWsFj5tPNki9HZd1sFj5tw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe

Executes dropped EXE 64 IoCs

pid	Process
4156	Fokbim32.exe
4068	Fbioei32.exe
1832	Fmocba32.exe
2528	Fqkocpod.exe
4960	Fcikolnh.exe
1480	Fbllkh32.exe
1196	Ffggkgmk.exe
1120	Fbnhphbp.exe
3548	Fihqmb32.exe
4008	Fobiilai.exe
4080	Fflaff32.exe
5028	Fmficqpc.exe
4172	Gbcakg32.exe
4332	Gimjhafg.exe
1464	Gqdbiofi.exe
4528	Gfqjafdq.exe
1388	Giofnacd.exe
3696	Goiojk32.exe
2692	Gjocgdkg.exe
2196	Gqikdn32.exe
1204	Gfedle32.exe
1564	Gqkhjn32.exe
468	Gbldaffp.exe
2640	Gmaioo32.exe
4948	Hclakimb.exe
4812	Hihicplj.exe
2024	Hcnnaikp.exe
4848	Hikfip32.exe
1112	Hcqjfh32.exe
4864	Hfofbd32.exe
4284	Hadkpm32.exe
4564	Hbeghene.exe
3124	Hjmoibog.exe
4820	Hmklen32.exe
5048	Hpihai32.exe
4388	Hbhdmd32.exe
3912	Hjolnb32.exe
3784	Hmmhjm32.exe
2308	Ipldfi32.exe
2792	Iffmccbi.exe
1012	Iidipnal.exe
3588	Iakaql32.exe
772	Ipnalhii.exe
5096	Ifhiib32.exe
4548	Iiffen32.exe
3144	Iannfk32.exe
4660	Icljbg32.exe
1924	Ifjfnb32.exe
4344	Ijfboafl.exe
3104	Imdnklfp.exe
2880	Ipckgh32.exe
4952	Ibagcc32.exe
5084	Ijhodq32.exe
4056	Ipegmg32.exe
4604	Ibccic32.exe
1428	Ijkljp32.exe
3524	Iinlemia.exe
4300	Jaedgjjd.exe
1248	Jbfpobpb.exe
2952	Jfaloa32.exe
2672	Jmkdlkph.exe
4448	Jpjqhgol.exe
2208	Jfdida32.exe
3460	Jibeql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Ffggkgmk.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hcnnaikp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5340	5780	WerFault.exe	226

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4156	1052	4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe	81
PID 1052 wrote to memory of 4156	1052	4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe	81
PID 1052 wrote to memory of 4156	1052	4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe	81
PID 4156 wrote to memory of 4068	4156	Fokbim32.exe	82
PID 4156 wrote to memory of 4068	4156	Fokbim32.exe	82
PID 4156 wrote to memory of 4068	4156	Fokbim32.exe	82
PID 4068 wrote to memory of 1832	4068	Fbioei32.exe	83
PID 4068 wrote to memory of 1832	4068	Fbioei32.exe	83
PID 4068 wrote to memory of 1832	4068	Fbioei32.exe	83
PID 1832 wrote to memory of 2528	1832	Fmocba32.exe	84
PID 1832 wrote to memory of 2528	1832	Fmocba32.exe	84
PID 1832 wrote to memory of 2528	1832	Fmocba32.exe	84
PID 2528 wrote to memory of 4960	2528	Fqkocpod.exe	85
PID 2528 wrote to memory of 4960	2528	Fqkocpod.exe	85
PID 2528 wrote to memory of 4960	2528	Fqkocpod.exe	85
PID 4960 wrote to memory of 1480	4960	Fcikolnh.exe	86
PID 4960 wrote to memory of 1480	4960	Fcikolnh.exe	86
PID 4960 wrote to memory of 1480	4960	Fcikolnh.exe	86
PID 1480 wrote to memory of 1196	1480	Fbllkh32.exe	87
PID 1480 wrote to memory of 1196	1480	Fbllkh32.exe	87
PID 1480 wrote to memory of 1196	1480	Fbllkh32.exe	87
PID 1196 wrote to memory of 1120	1196	Ffggkgmk.exe	89
PID 1196 wrote to memory of 1120	1196	Ffggkgmk.exe	89
PID 1196 wrote to memory of 1120	1196	Ffggkgmk.exe	89
PID 1120 wrote to memory of 3548	1120	Fbnhphbp.exe	90
PID 1120 wrote to memory of 3548	1120	Fbnhphbp.exe	90
PID 1120 wrote to memory of 3548	1120	Fbnhphbp.exe	90
PID 3548 wrote to memory of 4008	3548	Fihqmb32.exe	91
PID 3548 wrote to memory of 4008	3548	Fihqmb32.exe	91
PID 3548 wrote to memory of 4008	3548	Fihqmb32.exe	91
PID 4008 wrote to memory of 4080	4008	Fobiilai.exe	93
PID 4008 wrote to memory of 4080	4008	Fobiilai.exe	93
PID 4008 wrote to memory of 4080	4008	Fobiilai.exe	93
PID 4080 wrote to memory of 5028	4080	Fflaff32.exe	94
PID 4080 wrote to memory of 5028	4080	Fflaff32.exe	94
PID 4080 wrote to memory of 5028	4080	Fflaff32.exe	94
PID 5028 wrote to memory of 4172	5028	Fmficqpc.exe	95
PID 5028 wrote to memory of 4172	5028	Fmficqpc.exe	95
PID 5028 wrote to memory of 4172	5028	Fmficqpc.exe	95
PID 4172 wrote to memory of 4332	4172	Gbcakg32.exe	96
PID 4172 wrote to memory of 4332	4172	Gbcakg32.exe	96
PID 4172 wrote to memory of 4332	4172	Gbcakg32.exe	96
PID 4332 wrote to memory of 1464	4332	Gimjhafg.exe	97
PID 4332 wrote to memory of 1464	4332	Gimjhafg.exe	97
PID 4332 wrote to memory of 1464	4332	Gimjhafg.exe	97
PID 1464 wrote to memory of 4528	1464	Gqdbiofi.exe	99
PID 1464 wrote to memory of 4528	1464	Gqdbiofi.exe	99
PID 1464 wrote to memory of 4528	1464	Gqdbiofi.exe	99
PID 4528 wrote to memory of 1388	4528	Gfqjafdq.exe	100
PID 4528 wrote to memory of 1388	4528	Gfqjafdq.exe	100
PID 4528 wrote to memory of 1388	4528	Gfqjafdq.exe	100
PID 1388 wrote to memory of 3696	1388	Giofnacd.exe	101
PID 1388 wrote to memory of 3696	1388	Giofnacd.exe	101
PID 1388 wrote to memory of 3696	1388	Giofnacd.exe	101
PID 3696 wrote to memory of 2692	3696	Goiojk32.exe	102
PID 3696 wrote to memory of 2692	3696	Goiojk32.exe	102
PID 3696 wrote to memory of 2692	3696	Goiojk32.exe	102
PID 2692 wrote to memory of 2196	2692	Gjocgdkg.exe	103
PID 2692 wrote to memory of 2196	2692	Gjocgdkg.exe	103
PID 2692 wrote to memory of 2196	2692	Gjocgdkg.exe	103
PID 2196 wrote to memory of 1204	2196	Gqikdn32.exe	104
PID 2196 wrote to memory of 1204	2196	Gqikdn32.exe	104
PID 2196 wrote to memory of 1204	2196	Gqikdn32.exe	104
PID 1204 wrote to memory of 1564	1204	Gfedle32.exe	105

C:\Users\Admin\AppData\Local\Temp\4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e5294e75887a0195f82853ebe9a9680_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\Fokbim32.exe
  C:\Windows\system32\Fokbim32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\Fbioei32.exe
    C:\Windows\system32\Fbioei32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\Fmocba32.exe
      C:\Windows\system32\Fmocba32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        24⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        33⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        34⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        43⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        46⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        48⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        50⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        51⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        53⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        55⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        59⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        63⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        66⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        67⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        68⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        69⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        71⤵
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        73⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        75⤵
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        76⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        77⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        78⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4928
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        83⤵
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        84⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        85⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        86⤵
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3332
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        89⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        90⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4736
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        92⤵
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        93⤵
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        94⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        97⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        105⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        106⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        107⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        109⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        110⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        111⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        113⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        117⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        118⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        123⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        125⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        126⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        130⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        131⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        133⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        134⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 400
        141⤵
        Program crash
        
        PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5780 -ip 5780
1⤵
PID:6132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbioei32.exe

Filesize
264KB

MD5
0ed90214ed9b1da52117fc4731816a3c

SHA1
7e899a1c582102a1889df38fc8bdf45e55ad7daf

SHA256
36463bfdd93515a71ea2b9f7dc2125fcd80a5978dabfe31bc816a990e39917b6

SHA512
cb2d13044ee31a5b4646f13a2df5230f99d759fb765259da9e6a7038f598a949e34503a403cf3613502615fe4dd32ed712d4033cd2e0daf9e3c79783761b2f0e

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
264KB

MD5
8e46af8b45f29947cf89a959d807ceef

SHA1
10265a579a3873fa5221b053028dcd101a718264

SHA256
ca5ecfa5b4dfb150971eacbf27f10f6edefda1aa0de79d78e260516cc3298d52

SHA512
9d51deec324fdf3b92a8bdd0ffab5294743eae588a1ac83134281c67a9e20a0428c4a42c11aec43036cd0964ac6c7b1d3894d1a7888c623110ffcc032e3654b1

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
264KB

MD5
50e0aa5a83b740c8efcd74e80f562a30

SHA1
138962e82de40539a3c8114498c6e65ecdce57c1

SHA256
7d113cb1f12bcd1391faceb8c8c8c595809cbed25857916f5c23489b80fe23a5

SHA512
d5177fddfbadf5aba4b2fcabbb8ca288295d32d1331548152567a54e2b4a3b361618d05f978d82c87ef0425af70731aa4b689529ed31b5cd4d9bb3ba89b356c2

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
264KB

MD5
1c1f500653a718c281c6802733950020

SHA1
3e800336852767b7802fb46a0247668d613b60da

SHA256
d670e1d272c354bd89f958efef61b4ad2a34febe30dd7ba0bdd0e728b50e7df4

SHA512
2156fcb64eb1150abb67a06f85e4935443a67f4bd65c219ae9bca5a25c7da5baed1686c3b8ca4035239438161b0d3c1fc814a3c385ee3ad02e6f2a31f3092d7c

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
264KB

MD5
2447200e0906bcc7e69a53d1cba62c22

SHA1
e4257b8d9d18f31a8d56a868780953c7457a73e7

SHA256
8d6be2f8b0a268be65dfc8bffe279c9dd513c8e50a6601f012616e11eccc7f38

SHA512
8f21bc107d5cb582426b3802071a12d4fd56e6c492608f7d923f9a4797abffd6cae58575acc6e68a9fdc914f0f669975822b4192512549cb4ce2c98c4783d5cc

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
264KB

MD5
612c98fdd295cc021865b65916e65f8f

SHA1
b1c4dd9be2e58b6d0255b3c35d091573d81cd492

SHA256
7d348c36880717e2591a76082e6d8d252627395370ed6e93c9ca7c47af42e84a

SHA512
ffda391fdc446163339df6aaf855f59aba002c4cb9b55ee47ac9ce4f20d9cf24f444bf29e50f2dd2c1860cccb2438a1e73e37eea125330e5126ccb236104a645

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
264KB

MD5
c8b1ccf423420b09232364343d034c49

SHA1
3a4d8bf2af88609f41d49425049ef9f9eceaa737

SHA256
f396ec4088aa6cf2f7358fa35badba97f344ba0f6464f788eb232d3092234cc2

SHA512
5427cffc26e44a96d0b32473da6fa056ad1a1c4a9772a5284095ed9fb8ee40ce1caa4548eadb09a7d1580c5bb2889cc6de171bf8364ff5b49254e0587b1c2472

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
264KB

MD5
7b2f1d450c9d3b298b9baa65904fd557

SHA1
e1c0c8bbbbda679b6d031734bc6383135c013439

SHA256
b2093ce3839694bdf10384715f332ca2ffd9ce8c0778ae700ac3d567caed076e

SHA512
7a97086d17657d44837aed2204f52999aba7dc1f04fef1bb864a4f0ed42431cc7bd9f3771f825523709671f3d93b3c4fdb41de097f89026c0050d22e4a491250

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
264KB

MD5
195e4e2154b9a01fafe11dcb9bafded7

SHA1
816ce6e05ac5867f145f713f46538d5a1e33fe04

SHA256
2651ba56c7e1d0fa27a8f65ab48eea6424c8ff156c49fdb53502833303eac269

SHA512
dd81990a120518577eb974ad563fec9b3a9da49c9fc2b1c47d2d722f8582a05f6c1d41b3ba9f23f5724d26700d30bfc7c92f0723d3e7eaa4d50b588fab3f6d94

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
264KB

MD5
4892f27ef217020dc9d3f90ffca39b1e

SHA1
8c5ec3aedb05d3b9649ac579b17d9f9c2108f51a

SHA256
8c92f7ece76abca99b95851517206b208df3ddc535b95e941b113cc94006491e

SHA512
8714d3e1263fcc5e9890a49198d64a78f77eb91d195ff1559cf3ee13078ec9003e0e8ca7f988a54354d9e5c9d11d99a608c5e02f394a65c7812e00253aa2d5a7

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
264KB

MD5
1e451d5c2bc40e702290fe9e1614d16c

SHA1
fa542848f69e1b2ea1547dc867b99363451f9c8d

SHA256
2ac8189c5509c10bd3f0f23024510f1ad6b5b59603030690169d058f8b26e6b6

SHA512
41990f8ecde999ab4111967a98bfbb3c0b155f4039e2647faf51c0f34c3e019e68ffe2d2b58c04222f21088958e7c5867677c301a180ba839d2a33980e7d953e

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
264KB

MD5
983e4f72e7d7f9311e6910ba14c3efed

SHA1
20f7ff78b4233bb9e7c4f70017a6ad5763ff439d

SHA256
a33c534b8adbdf6750ae186c151b0af6ace4ce88ee49d6b1537f385d08bc725c

SHA512
4d430546c473701ce9a9c6114e31f10fcf01bb727f38e1b0a25cc03c02df1eaec59b3466a3844c745bfacd0648d44d8be09359cd338d4a74b6abc65ed085d518

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
264KB

MD5
c347fabf4fa8312f082259a19704f05b

SHA1
a9498d0e94090f98b633280b6e736b8e7017933a

SHA256
a601b6b9e308bd711e743ae829b3257cb42e6716bbbc613eeaf31af233cc4e2d

SHA512
1319e009765e5204099059272adf9cbca4e248540ea8d8d934b6b1265ecb13ce71c2393e8b5542e44d3af7e9c6f6326c74a1769b5cd39f09115d34ba5e863623

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
264KB

MD5
33defc1a40aa91b411d655e17f1e802e

SHA1
3ada874f92a8f14cf5bb894fd786ccf4d8710261

SHA256
dfedebad7f95ae4f1d3429127351b09347555a5ac8d15d6eebaf9b6ded038417

SHA512
140425be233d274bcabc5947c90a455536e0f5686faa3e7ce3c019577bdfa94302011cacdae986bb532bbd8fbbe1f1d92a8e5061255ecbc338e22ec73b20f56a

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
264KB

MD5
e161e1327903d5fe90a474169790f495

SHA1
f79d3e5ba276d1d98b2d5fde8820bf7a2425d228

SHA256
7e757455a8ec7752d926f18f36e881230b6305987a34ec1d37909cf6a4a7fdd1

SHA512
d19353113eab32480ade406ca5a8af9d01f2578dabf0c0057c6363c71f2610322a1473dfe532f865dd51a26b1f8f28ac720f6f20589aec0264c678336e6b2052

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
264KB

MD5
3953288769e90ada2f5fc3054b5e3d5d

SHA1
7effb522347f64512cb7ca3b4b63f716dc06ca2b

SHA256
8ee925d88661e5c5fc271327123f195601ecf26932605153c3ba19783c7f0855

SHA512
b7cac6fd5d9efdbe91228bfad5cc6eb5fc48233109e7853d29b6844c1ea45fd24e6fad3c67deb25c714d4d3f7227a9c7898d89352a67a3e6398080d5fa853ec0

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
264KB

MD5
5a30448c10af1975779bd1a864b26f2f

SHA1
affcf5f328fa3126e66a17034ebde4a5cd8683b2

SHA256
5df49be13b3cfbef385933efbdb400cc7d6cb998e48230c2871ad3454b52d55a

SHA512
115ab8902a2b62714dc2e6db249d6d768cca754eeea63ca39c693d3e94cbcd34b7e6f18376069a67b766241d03cd82684c61fe9e9d170e3b285d2cd58c59b133

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
264KB

MD5
2c80a7ebfbfb0b7ad61c149cc43889a4

SHA1
71b8af220b9e0a57e1f8a2a23d49af2b8fada478

SHA256
1a1ddecb6de254f9c815b195ae899a359ede7fc506fa59a35169139cb421ca0c

SHA512
49b78c4433a8c3a176c47ce402fe55e0b10836fa36b3744619c8d5838288256814c0c97678baa19bc8a9e146b7474bdc0c47e13699f8f67725572d28a9f7c8b2

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
264KB

MD5
724070c7a2fc139ffe28b4c21187b17d

SHA1
1bbc7fe9409929017439eb123e23d5d9b425941b

SHA256
ea9102b1a5f331ff717bb9ca1ec4ac37b8919e016da39059131fd02bfc57a989

SHA512
f7a0cdd1f49ab157b2a694ebd0df205a24f8e205653d7dfddfc238676ab546d73c8a00e8fa4bf4ce3c7f5be589036dd7fbe51375612d3484a45c666e9a29caa3

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
264KB

MD5
a1056b87c9e368a9ee1176596da3a864

SHA1
f1ad8589f9f5e74fec6b9142b9260abf56707ff0

SHA256
458e5d7eeef925d9c1bfbf8da9e2127950c3911aa309491c1680efc0fb02315d

SHA512
6293078de53098eba7c41c8bb11b5cf8916fa6d80a5fc93bc5568f240ce472fbf4f955b32ec62bcad314c1dfc88f30684be3915f0506b7fec76c45f658422056

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
264KB

MD5
c76daddec47d36ed756c1e8fc6fc8de6

SHA1
d47e45c686206b35c322ddbbd80bf437e6c7c27d

SHA256
e84c28c4ee12c53b3a3ab0152842578376fe4528e9fd9d6f5a32cbb67c07bb10

SHA512
fcec210eb17049cea59a2c8964736c47be79d6ea5e4e114127a3e4dc158c329dff840671f4142a1310cde640ad9d66f5fe29b710f068773d5a7d6aa2739d2bca

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
264KB

MD5
0d11ed606d6351c5f9b0362c273cafe9

SHA1
ada3f0a636eb1d40abc61df508572862661bf3a3

SHA256
60840b8a4f211a9d553c8cc5fe5af3318209076e7964d1e22d2f491274aa61b5

SHA512
478389795a70ac2489b51aedf62cab9b1ac51c2a8261cad8e815362e03eab93e79436f1226ade1976b66316e983c5fd3dae250a7b2534623f23342e08d9b470a

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
264KB

MD5
7f9034620940b4f35c089572e5976a60

SHA1
d4c60fc6e8c72b7d212ebac905f982595c56f13e

SHA256
c89202bfe7512228ee4909bb09f22f814eec1199f338b79228eb1947e654846e

SHA512
fe0cf0c5001821d5b226e8e2d36e3e2aadba8d5ca2d9e4a579588964be15af33bfa62eed68e45953280decdcd8e68604fffffd7bdc88bb990aacaa2cb51c488e

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
264KB

MD5
1a5c3b9dcb553e2a64556acb636d9933

SHA1
ca5e19e3de96c12454c97af298383f7657de240e

SHA256
7b6892ff2c2357403bf29144cfa866c958ea786c0fe115c841216fa0d8597235

SHA512
c36e74beb948927fdc0a8854ecd6bff1c382a4d071cca378f4f3572ee8769131b53d9a558e2e352a540ceb54ca489ef58af6fe088d64d34dd2f669c47421c7fa

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
264KB

MD5
a445f50f4f69f3a7ab827ea62a59d169

SHA1
46a21baacc7974f12657e9a2d36751d6e356a42a

SHA256
2a3678d506ac0ad067c38fe54b37c4fe13e3311f1c3e7fc24c6403d847b89bd2

SHA512
a47cc59c0173e66bd80917b1fc9c15038cd03674cf86ac189a94cf2007458f2ba7c11194a2a98387c61641eb6ffae8fb75cd0441d6f886e502174cc2fb4094e4

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
264KB

MD5
f94f382a64bca78dc7ad48a2ab538363

SHA1
39af807d22d21a8c3de1461b08efad92d9b4833b

SHA256
af0cb69376884dc78ddaec9bc442ea41a28ccb4e74e140e10643c21b2fee6868

SHA512
e06db22bbad53b8d34a0fc3bdd22df8e46255608b19a9c3655f24c1db61d9bb5f69d798a5bb9af3c5c2ff0fa4d6e6b8e0ae02a8979b5f4e89cf3b60baa970951

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
264KB

MD5
0228e972fb3809b623418dd07d7ec09d

SHA1
0cb12235b7752de679a2953c726e170751f7c596

SHA256
b0ea43b718d075d1be67cd0a2c058794f719dc5dcf65b44816bb4eee4956b6e5

SHA512
35431f0924115fcfa1d6a26a8c96a01416d3d350045d0e80f364b2fc0fc47512c41097218d13a8bfd0906fa4ab9db8bcb35b901eeb2352dac0b31035d1ea8dbd

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
264KB

MD5
ba4fbb2e5cfff3e78275c5738c7aa94e

SHA1
380035857836337f838425df38a51bb22b2018ed

SHA256
22b314960eca7ab6d640d51386b9dfc24cbb21a82590d9f4e91dd619240a0a91

SHA512
a63db076161d8dbebdb290a00ea86cd7180eae1ecdf0ae3ec6e83f30be031c663e597223f9453214316a5d47a7b4217c88331e4969eda95a40c9d34a4c5031fc

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
264KB

MD5
b9195f7f3b736ae57905238e36c45d4e

SHA1
28ef359f36584d3153e9f548e279bdb69fe1122f

SHA256
2a9b7cef784170fbadb61c216cd66f999e2bf4b1c094117bd8afedc77ec01f04

SHA512
9641be5a37777fbe2424dac3987c341cc4fa9885acf9ceb59fc39bf0508377b25b1cf827cec7f4795c7df8965d2e28faa60e688b2c4ef32d0ae7586d77030d7d

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
264KB

MD5
9e9813205376495217263d57156dfc49

SHA1
c48fb01f8ab4f6a999659be9b9c6c8f02d340152

SHA256
fc80bc5f719b143dd97707b12610b60d6cd93df6c2a514c0292a8fce1fbfe9d8

SHA512
796bb933341e24c6e187872ad9cc46465521897d39422898783d9625b66df93ae2ed483d9ea2f0ded999254fbcd579ad63234fc9685cdf6929733768b94ca5ab

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
264KB

MD5
478607a96e4c6d16be564e33f8a4f866

SHA1
288fd92619e7692beec7ea62767cc1334303ee16

SHA256
09d814c7a1eacf6eea91f352d479ad7d5e1bdb0cd7f5c76ece4243d74623c45b

SHA512
3ed84858145912572b5eb9c9b96d18a9e80efaa9bc7f31a24f3f7a04d54a5e92dfa9ae8ef687fa65fe0d78035f1cfcb31167bc6270665934ffd2386f9cccd089

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
264KB

MD5
586879e5cbb9d926c96259f54d4d590a

SHA1
95c8e01a7963bb55bc251f68b3234093c5b3605a

SHA256
ade5f2dde781b34795ab3926c27af2ee419a52a38952ff0576771c00f5dec23d

SHA512
74f80d0cece24200c75ed8ebbc0c0cc3cb38b89f95274c93b9cdcb19aa85f6ac32f6fd91025d9d440dda2284cf20f565a00a2becb046ce143d3a31c3f385aff3

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
264KB

MD5
b052b0a73d23c31055a60c8738935009

SHA1
62d7ce4de6df6de6f7eb43ddc8964c66b9bfaa59

SHA256
7507202278aedf8f67845019d30d00275b4ff2b479ff0b0313de3a35c25eda5b

SHA512
b5731159f7868c45ea67f60f1f7467870ab38027da8ef149cd22c7bc7943cf51c5236c7f8f270d917d40b0779ff0161fd194279adce81ed57216e7405da0aaf8

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
264KB

MD5
5f9e8031efdb8e312e8af950bf5fe37a

SHA1
59bbc9fba5fd8b00b69bd95e09c5b3687aa8520a

SHA256
fefd0b381c59390c1b44b09197afcdcf69fcd6484328dd48fd6e68080d103dff

SHA512
879eb9e63949d4e295f85f00c2e0f88da2a4126b929de092de5fd82116b17807f52e9aa1a47bca168e9bb5541ec206be017239ae34c57cd03d1361ebdf5a442a

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
264KB

MD5
f5ecc1ec9d35a0fdb2e6d289e23cea5f

SHA1
2da09095e2db47e40c34caf8d3cd068e600c16de

SHA256
6e7e37e36b271b0aa1326872151a154ab0b372baa25b11b4d3a91b6e8ef1425f

SHA512
d4f414d3a5068db19d1f2148072c398428228204c9b6f396822674a66b7a83b48c4fbd70cd53b901a039f4d46f83fc817ae6f2352d712032912e7874cd128266

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
264KB

MD5
4db3af2b7fbd7f4e843f075ef7c92d93

SHA1
0c42a0b2eb8e3cb03c8d1d30d33d18bb0545ea61

SHA256
787260c5fd1232942a15aa0d80f982628a861678d44bfee385791f80b219099a

SHA512
556485abaa6b604cbac182e829ee441767ed3db4d59917330b44886cb01af2df9f0829e18d913a9dda2a6113fb43432ed524e77984a2450177e56c5e0f95f506

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
264KB

MD5
fc5a2c4392e2942d7d9e705e9a0446a5

SHA1
982b13ff7cc679c8b5eda1b3ac63f70dda3ea4e9

SHA256
5cfce899a996c48b49c68fc3717ea2a03632e21da25c589f6e102a05bb1b06d5

SHA512
e0c85b8333b9dc7100edebb01695dd6aa18a6738fb22f58b441af874985812c62ece02f4c1d8cbda4e646f221b23eba62731e03e19af29f072e934f55f465a3a

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
264KB

MD5
29383780582670aef7ae2a4bc6c2da72

SHA1
ce98c3e6ffd1aea810be2a824447e326f7c8cb8e

SHA256
87d697c9ccb834cf268c021ecf294fa86ae1cfaa0bee153c89de8263d539ceab

SHA512
fc2b16096f3e2d3748998cd231c8f7bea7dd10aa87f891935f0c0efd69f4909f5e171098d8de1a9ea30a1156bf3837f0e9c8d6d09ccaa452ed444f44ec4ff81e

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
264KB

MD5
0d522e725af805a690a823d352701676

SHA1
da850e282683ae282dd432ea09bf4d5ff5d0565d

SHA256
cb6c230a75dc0545997868521bf1f08f89969cead408f3fae40f614600e6493c

SHA512
e30d8a0cbff6de6c52a1351e08c38569ce3e632fb43b66cbd1fd2a1138c6b02b46b8e5004601ee2a02d3d981eb17c20cdb66c4a8e0485e9897644ad85459c4c9

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
264KB

MD5
e54729585a4c05e6a54958b45ffda729

SHA1
4e134390300d394f29aa5847544a994cfd884707

SHA256
cfcd2909484459602771c356083c9dbbccc1e8fcde41830443ef6a3e48727ced

SHA512
22b4e73213a2c42bfaf12bdfb6b0f7f807edef90936534a9be28338055ae2a27a310b9e91b5103ddf90ffa1d4e46cc97a5644c9100041d3ba3f89e7088af2627

Download Submit
memory/468-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1196-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1196-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-583-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-602-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4948-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5560-946-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads