9f1b5e8e307abc34e065baa9c5e1d5c675992ae270bc550c7ba19bea4caa2123

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

126a7418349531b937078283044c4b60_NeikiAnalytics.exe
Size

55KB
MD5

126a7418349531b937078283044c4b60
SHA1

60692c7b5dfd930a3ddba66c7b8db8b4e82f061f
SHA256

9f1b5e8e307abc34e065baa9c5e1d5c675992ae270bc550c7ba19bea4caa2123
SHA512

44464511ad9a7fb12c5c74b9a63a8ae19066b75a1ea710afcb56aa6fff9d7bd992631fb75bdd63db82f2bd6904b75a8df26986b62c52cee820052ed0b7cd4e26
SSDEEP

768:kzvezerewcChHhYwxgxkbgd7zQ9aw2CBf6/Qcnb0T9vaveY2p/1H5KXgXdnh:oezey5ChB6Jd7qaw2CB8Qcn4gvr2LL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe

Executes dropped EXE 64 IoCs

pid	Process
1964	Ecphimfb.exe
3908	Efneehef.exe
3720	Elhmablc.exe
2720	Eqciba32.exe
4840	Ebeejijj.exe
1552	Ejlmkgkl.exe
3844	Emjjgbjp.exe
2588	Eoifcnid.exe
1996	Fbgbpihg.exe
4428	Fhajlc32.exe
5032	Fqhbmqqg.exe
4152	Fbioei32.exe
4512	Ficgacna.exe
396	Fqkocpod.exe
2124	Fcikolnh.exe
4388	Fjcclf32.exe
3592	Fmapha32.exe
460	Fbnhphbp.exe
8	Fjepaecb.exe
2332	Fihqmb32.exe
2696	Fobiilai.exe
1768	Fflaff32.exe
3304	Fijmbb32.exe
4440	Fqaeco32.exe
1012	Gbcakg32.exe
4384	Gimjhafg.exe
4884	Gogbdl32.exe
4360	Gfqjafdq.exe
220	Giofnacd.exe
1388	Gqfooodg.exe
2676	Gfcgge32.exe
1376	Giacca32.exe
1524	Gqikdn32.exe
2368	Gcggpj32.exe
2072	Gjapmdid.exe
1880	Gidphq32.exe
184	Gqkhjn32.exe
4624	Gcidfi32.exe
2252	Gfhqbe32.exe
972	Gifmnpnl.exe
3176	Gmaioo32.exe
3780	Gppekj32.exe
820	Hfjmgdlf.exe
1308	Hihicplj.exe
452	Hapaemll.exe
1644	Hcnnaikp.exe
3312	Hfljmdjc.exe
4012	Hmfbjnbp.exe
1832	Hcqjfh32.exe
3236	Hfofbd32.exe
3444	Hmioonpn.exe
4924	Hpgkkioa.exe
3112	Hbeghene.exe
2644	Hfachc32.exe
4548	Hippdo32.exe
2640	Haggelfd.exe
3668	Hcedaheh.exe
444	Hfcpncdk.exe
1884	Hibljoco.exe
4844	Hmmhjm32.exe
1824	Ipldfi32.exe
1800	Ibjqcd32.exe
740	Iakaql32.exe
3424	Ipnalhii.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Elhmablc.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fbioei32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Ibjqcd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5396	5276	WerFault.exe	214

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	126a7418349531b937078283044c4b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	126a7418349531b937078283044c4b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	126a7418349531b937078283044c4b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kdffocib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1964	2284	126a7418349531b937078283044c4b60_NeikiAnalytics.exe	82
PID 2284 wrote to memory of 1964	2284	126a7418349531b937078283044c4b60_NeikiAnalytics.exe	82
PID 2284 wrote to memory of 1964	2284	126a7418349531b937078283044c4b60_NeikiAnalytics.exe	82
PID 1964 wrote to memory of 3908	1964	Ecphimfb.exe	83
PID 1964 wrote to memory of 3908	1964	Ecphimfb.exe	83
PID 1964 wrote to memory of 3908	1964	Ecphimfb.exe	83
PID 3908 wrote to memory of 3720	3908	Efneehef.exe	84
PID 3908 wrote to memory of 3720	3908	Efneehef.exe	84
PID 3908 wrote to memory of 3720	3908	Efneehef.exe	84
PID 3720 wrote to memory of 2720	3720	Elhmablc.exe	85
PID 3720 wrote to memory of 2720	3720	Elhmablc.exe	85
PID 3720 wrote to memory of 2720	3720	Elhmablc.exe	85
PID 2720 wrote to memory of 4840	2720	Eqciba32.exe	86
PID 2720 wrote to memory of 4840	2720	Eqciba32.exe	86
PID 2720 wrote to memory of 4840	2720	Eqciba32.exe	86
PID 4840 wrote to memory of 1552	4840	Ebeejijj.exe	87
PID 4840 wrote to memory of 1552	4840	Ebeejijj.exe	87
PID 4840 wrote to memory of 1552	4840	Ebeejijj.exe	87
PID 1552 wrote to memory of 3844	1552	Ejlmkgkl.exe	88
PID 1552 wrote to memory of 3844	1552	Ejlmkgkl.exe	88
PID 1552 wrote to memory of 3844	1552	Ejlmkgkl.exe	88
PID 3844 wrote to memory of 2588	3844	Emjjgbjp.exe	89
PID 3844 wrote to memory of 2588	3844	Emjjgbjp.exe	89
PID 3844 wrote to memory of 2588	3844	Emjjgbjp.exe	89
PID 2588 wrote to memory of 1996	2588	Eoifcnid.exe	90
PID 2588 wrote to memory of 1996	2588	Eoifcnid.exe	90
PID 2588 wrote to memory of 1996	2588	Eoifcnid.exe	90
PID 1996 wrote to memory of 4428	1996	Fbgbpihg.exe	91
PID 1996 wrote to memory of 4428	1996	Fbgbpihg.exe	91
PID 1996 wrote to memory of 4428	1996	Fbgbpihg.exe	91
PID 4428 wrote to memory of 5032	4428	Fhajlc32.exe	93
PID 4428 wrote to memory of 5032	4428	Fhajlc32.exe	93
PID 4428 wrote to memory of 5032	4428	Fhajlc32.exe	93
PID 5032 wrote to memory of 4152	5032	Fqhbmqqg.exe	94
PID 5032 wrote to memory of 4152	5032	Fqhbmqqg.exe	94
PID 5032 wrote to memory of 4152	5032	Fqhbmqqg.exe	94
PID 4152 wrote to memory of 4512	4152	Fbioei32.exe	95
PID 4152 wrote to memory of 4512	4152	Fbioei32.exe	95
PID 4152 wrote to memory of 4512	4152	Fbioei32.exe	95
PID 4512 wrote to memory of 396	4512	Ficgacna.exe	97
PID 4512 wrote to memory of 396	4512	Ficgacna.exe	97
PID 4512 wrote to memory of 396	4512	Ficgacna.exe	97
PID 396 wrote to memory of 2124	396	Fqkocpod.exe	98
PID 396 wrote to memory of 2124	396	Fqkocpod.exe	98
PID 396 wrote to memory of 2124	396	Fqkocpod.exe	98
PID 2124 wrote to memory of 4388	2124	Fcikolnh.exe	99
PID 2124 wrote to memory of 4388	2124	Fcikolnh.exe	99
PID 2124 wrote to memory of 4388	2124	Fcikolnh.exe	99
PID 4388 wrote to memory of 3592	4388	Fjcclf32.exe	100
PID 4388 wrote to memory of 3592	4388	Fjcclf32.exe	100
PID 4388 wrote to memory of 3592	4388	Fjcclf32.exe	100
PID 3592 wrote to memory of 460	3592	Fmapha32.exe	101
PID 3592 wrote to memory of 460	3592	Fmapha32.exe	101
PID 3592 wrote to memory of 460	3592	Fmapha32.exe	101
PID 460 wrote to memory of 8	460	Fbnhphbp.exe	103
PID 460 wrote to memory of 8	460	Fbnhphbp.exe	103
PID 460 wrote to memory of 8	460	Fbnhphbp.exe	103
PID 8 wrote to memory of 2332	8	Fjepaecb.exe	104
PID 8 wrote to memory of 2332	8	Fjepaecb.exe	104
PID 8 wrote to memory of 2332	8	Fjepaecb.exe	104
PID 2332 wrote to memory of 2696	2332	Fihqmb32.exe	105
PID 2332 wrote to memory of 2696	2332	Fihqmb32.exe	105
PID 2332 wrote to memory of 2696	2332	Fihqmb32.exe	105
PID 2696 wrote to memory of 1768	2696	Fobiilai.exe	106

C:\Users\Admin\AppData\Local\Temp\126a7418349531b937078283044c4b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\126a7418349531b937078283044c4b60_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\Ecphimfb.exe
  C:\Windows\system32\Ecphimfb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\Efneehef.exe
    C:\Windows\system32\Efneehef.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\SysWOW64\Elhmablc.exe
      C:\Windows\system32\Elhmablc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        24⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        26⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        27⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        30⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        52⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        54⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        59⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        61⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        68⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        69⤵
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        71⤵
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        73⤵
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        74⤵
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        76⤵
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        77⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        79⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        80⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        81⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        82⤵
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        85⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        88⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:896
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        91⤵
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2304
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        93⤵
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:676
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        97⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        98⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        99⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        102⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        103⤵
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        105⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        108⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        109⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        116⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        118⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        125⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        128⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        129⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        131⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 404
        132⤵
        Program crash
        
        PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5276 -ip 5276
1⤵
PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
55KB

MD5
34167e863d155179ba278709abbda9cf

SHA1
fcb2293aa3108c992d687a44bd1d52d48c792a99

SHA256
2ac7fada25d75a145d52d78663a27eec650a55efcfef38cd4d82ee3fa86d1089

SHA512
eacddfa2e6119992b4eb142b879c3bf02d444ae8c0494a6897c5992e214901ca309223ab4f671f1101caefdfa11e01e6a1b9ac845e58f1b8757a60f3b8001b63

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
55KB

MD5
27bae5bdca26cc2532833dddb52c81e4

SHA1
2cde6674323e526f12ad7dfa102f6b27ae271f74

SHA256
deb42f37dcf3fd2427ca896494e9eed838ed1724f2282ed124344db02ee43840

SHA512
fa3b4fa6eb1a6d8cfdcfb4cb823a816ff30bd393a9962c17878fc0e05ffec406460de21a3ad0157cee2de687dee32db80a793d5b9ce1a88c1e6a728d8f55ef4d

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
55KB

MD5
f45ba303f0ddd908c68c710b78d5db87

SHA1
f078e2a1f47f56bb0ba386687f89d02016da6910

SHA256
391e51e0b12784a653b7fe01132da10a6b75ff6a563530c98c7ed7a8a7999387

SHA512
3ffa98b638dbdd0226e600446cdefb947da686782ba940028be422ee13906f1b10058e98778eb49b468ef80212491004a4092f7168e10cf0c6d7b19af2372a52

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
55KB

MD5
a4833a436fc399cfd58b5abd355ab84e

SHA1
280500978cd02ade01713b216713423698e1cc1c

SHA256
4bde72ef26c185a71e041ebd2505658d33a5d0eaaedff67f89bd331d44050233

SHA512
8532b806a3dc611e3f1ab6a99a704508041b59e736b95394fb24725a32eaea806f7160ec1c2ca24de4f23ae912f97ec51b8c2a99003a7d8e039ff74019987f75

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
55KB

MD5
ba9212c1fbe5fd0d8e521661750b49bc

SHA1
4caf59ecc569688c4baa7d34da600e70b9f35e5d

SHA256
dd74648496649be74ffbb2ee9208a7a8abf2a7fdabdb02fd41411bb5b48e0569

SHA512
23d0cec07800d0a6230f59f5d383036fc9b8daef751c4c90f078f1846929b151ae77eea587bde683e4e4c2a56be5527f78c91fcbe70600bd4a32a6180967110b

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
55KB

MD5
0f6a8826f0e44d7f8131b9a48a72fdb6

SHA1
41a09dec743e384ac6f5373c301be3a61a3f3e0f

SHA256
d88e5ae1aec5ce9252d44fe8181693951412b8a019481d5d19814556736e1896

SHA512
b1cbb6703df2f12310bfddc83d98a5df950d92ab7cad4b88eb46598ce387552eda77f610c04efd65fc06901f48467660536dafe97d772406716058aeeabaafbe

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
55KB

MD5
83b39adde0d6bd2e550452567e2776cc

SHA1
d2f5e384d8be834c4faa4fd630b8b23fb64f23c7

SHA256
b318e8460ed9b827ee6e05d8ec40d3fb0c4834175f13e869fad5eb7c67c2f052

SHA512
6497f9762ae0e3d9176b398e5af3e817fea811e3dd56f2fdc5d63233c2004d847c439ea36dcba6b9da60292d4331a5262da930647a8dc8944e1e2a5c8ac7ec14

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
55KB

MD5
264d366d5895ce75da09abaea0671e0b

SHA1
d99c71a801c3700783bbb5d112ba49f194dac9ed

SHA256
eb5aed0257ab0ae9a38715ec22cf495ae184e6ea4d78d3177bf41c31a8667ea0

SHA512
a83b1f52624e8a573b317c8fce2f25e6271c3db5a25bee5ee525203399767d662c3cae18fd7ddb4c850330e53e9607f845880653798cefb347c0490b2b6cccaf

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
55KB

MD5
fbe25934f2e465ed002aca827b0e313f

SHA1
994fd30acaff6445f4cf6c2a19b8f5060a806c07

SHA256
9c7c2116c99be1a47f8c552aa10158f1a875c94e38d4732d1d6c38a65c6a1261

SHA512
7d3f3d7362fc14a98f3c6e13cc3f831edb1a56685dd7d7bace40705f84fe1d06967ad973ed19bbd6c6317ce06c9c1bf3528733a59de3a7c2383f94eff7895448

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
55KB

MD5
d13e13547c756f76a362e42d8e33c365

SHA1
024fff750cbf669eef99745bde4cb871145d4188

SHA256
c8031997cfd82c5b96222af18ff749a890f24c2673065f0c1afa07512e05f6ea

SHA512
3274dfcc8941fca555a7aef46d0187cb637cae654a9dde28b5290df9e3d95c3b72dd8f9964ff8bb2a358254a9cda62b95d0588b24bf24575ad65b15019bdf94d

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
55KB

MD5
6a760e1337360d60de4428bb595f41af

SHA1
3d6fbd2c7073938c0a1b1499cd570030702d8469

SHA256
714892d8480d3684e10f89e2eb7bde53d989c4344f4e1ca34ef53d714a10fdb2

SHA512
d79d93a7b9bcfe0d037902bb570e439ea487abe86ecb7ede5be1496ff0a7a29ddbfc4d7a8fb0973fa8ae52bbd9f80dacdd564992f4928716b4ab44e4938a2840

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
55KB

MD5
afe32cc004b07a847ea832e0223867f4

SHA1
10794e68c57925af9df444ba21bda3982e89b727

SHA256
1b0323ea8f39f3e82f85ca28fa38add132b37641309a6cbdb6a2c5b3f4ee2b0a

SHA512
e48a68ffe7f8cf957f112d77f5afc7c528fdf3968e4b45fdd6f537169f59491fc64942763803e63d40274d1e1647ad26dfc3d2c38d9c59b5c1f92b7cbc5f6c95

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
55KB

MD5
98e8fd8facce333ae50ae66a62b47038

SHA1
31ef800ea8cf5b943ff428bce4f567ec166e7ae5

SHA256
9361110e2da7b753c6fb71e1449962406c5a4102d2ba38752ba7ca458472f3d4

SHA512
49df75b132b402634e4f34de04801521a2d7224d2ca7ddf2eeda36f80d3cecb096658fe2b9b4d688a97a65cdd1615fde7f88df0dd88d557accf7f2bbb2350767

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
55KB

MD5
19828066a21890d0c5e01dd0b01a7310

SHA1
fa81fb0f3406867a5958aa8826794a9c2f396124

SHA256
4d18494befcaedf9b455806caac53b7295696312d95d4fb23d0db089043436b4

SHA512
5541342188f8111f572b1346da2d4c2956624406d96487b1d7531537732aca137fabca08c08c3cf56e3963158c8623daaef6aaaf7e74e75a91f77e9461206fee

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
55KB

MD5
2fa4a4363830a344c10a8c474a281ccd

SHA1
4d2e9bda32f8e1b201415e88d0143123d8fcb0d0

SHA256
37d63d330618abb6eba1d7860c1d658858b0fee919b369c4b35bc137a5a8be78

SHA512
85fa87f8e3b1c6e8fb670d4d3ab1c8a859b7d808fe13ac13f358d353d1b958bce7ee4030c334b653b73f36f2db4041f40523e2fb9358bcc1286ba98ed5666df9

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
55KB

MD5
9aea68ac10f75ed2e015c7c63d9fd0c5

SHA1
58e9424604dffdf3733a19a7070e51693fa01ec6

SHA256
f4def2c328365ae9ca4726bf2ed75574fe29932b393126629781f011f6a2e3de

SHA512
ea9202da5aafc5966a4c83fe5f0bce566a703b6dcb1d73b5a95cfa28a1cc933d15e19fde99c2c7421dedde3d011054700fbfce67055951e58233b0dc36d7a1f7

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
55KB

MD5
752d2414b317514865fe67b83d1614b4

SHA1
a5e787acccaa244ca5622374df51b4e4cb3168c7

SHA256
f32ad3015b8376a40451df384911ea71cf41dcebaf8927a51b8636a48f125b35

SHA512
168ab436e53bf940af16974454c16606bf401a8e721f280c314c037c3c03b0049ed08f5bddc92e76cddfed5db12fd6c79d4fc60d36abae5070f226f7582055a2

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
55KB

MD5
2584dc6edfb0c2d66c9781fb502d00e7

SHA1
60ff9ebe2a9f73bf126a6080ef5598d635080a7b

SHA256
3837c25d9407a31fae410bc62c336fba713ad287f21ff07890cbf9a560dbedde

SHA512
ac89f26670434c7971f7ae20760f3293e58852945646feba53e3ab3c9eee2da4b6dbccb0746713cd13017a78f166a0dd41d543c80756e74342c18b2ae986291c

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
55KB

MD5
5a128cb4c7129d7371ded30ccb54c87d

SHA1
c6d220cdd51ae09cbc1affc64e1ebba1eeac484b

SHA256
d5a19bf5fcca5e02ffb25e0c91ffabd6f18ee14299868abd533f54a2d3a4a2aa

SHA512
28522074f8c68129c88a4ed655518ea1ddb2a7b22a217925abfcde34f710efaa96f655879f8bf8ca6b74c2ab6de3ef866c69e823b544b8553dae80f33d9917b0

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
55KB

MD5
28eda8967d7581688c93436239bf6720

SHA1
396790a9146900fd9e66abe9de18143e9865eaa5

SHA256
2c09fc441f0330c9f7d44e21df75eb3f0ee9a6e1368cf7978652cb6e9c7da87d

SHA512
c370b8971a846ea6a8179a8ffa0e82e4ddd929f47c7fd7e1986f6238b662fa314e874e3f68c982c8b6efc417bf490bef5bc2d93638f07692759cdac6bc441cfb

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
55KB

MD5
c529db3ca44c0ca039079e7b0860c9a6

SHA1
3d64ebfb89e3c4263c4ff016133a49170662152f

SHA256
055cf5e9fb4e8c1c536778d6c79fd86c994bac4c7189cce957b7a552e1a1477a

SHA512
039ca496694a2ec1e5e3340f0e39e678005a3f98f790f5ae0e8e824dc408111673155825e06b55193d43af1ca3432cff512afca411fd344981a7d243e60bbef6

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
55KB

MD5
3e76e59fd27e492f37f62a7b77c0e613

SHA1
cd1696b57dec85cc7d2826a14157db762a34b8ba

SHA256
75755bc9934c34b88d0ce88af36c4c6cb88923b40d4e1dec516aa3f38f129613

SHA512
301c8af288a8e5ea7b681da8f6e2d7348893979aa8a4a0d2a318faff29bb9590a96a6a83a01a4e854e4c8765c4510fcdc23cf00ee32aebbe5d732b83526b6f3f

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
55KB

MD5
9b61b2e19ed11383f4279150b032eccd

SHA1
2d12c2c157d1c1ec9bacd460386ad3fbf06b2c95

SHA256
385cca49937b6e6e4de57f5224f24aac8a06fc8a17a01925c9a3c1891983535b

SHA512
cbc8c83f0a2abc3386de8c24b53edeb87101c66a8a25ec771960c2cdbba12ae6e229c3935e0e7b741f3eeca8a27574c36536f3f687b869a328b515d1c3a27643

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
55KB

MD5
e82d4b80ace4d65e3ccbdc859d22e406

SHA1
4c5401c95fb9a859afb1461fee59c9e5d4899330

SHA256
67a841b12fcd3b565a37294c3bf1b4f42b96d4f8afa5b925c37683115982f920

SHA512
2a506cd2367f4bbb1ba1472583150a0bdab21d736ce72ec172da20948b6e657195a9ffea4a05ab883553ce7667775dfa2e5875cc4ef8e7d73c2af6f3f259a56f

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
55KB

MD5
051b543cb09ceb5fc7c3d7fc0b1c3213

SHA1
7121cb5030cacbeffc296e9cd2ab3c10cf801f67

SHA256
c5ade6594a4cefe123cda9b5fe44f9829e81e005da3cc0a6c0cc606293450fd1

SHA512
96c18400dd2a8c566655c1b4609e72a5de483a20becd96ce2fb1633f89200ebef12f81c667b65a255bd056da066209666dea21f4df46a16d5c23288ebbb1f51a

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
55KB

MD5
0ec88c3a2c4d2374cbfdd393abae6bde

SHA1
25cdf475bad79d7987ba8d29c989a84c8da65be2

SHA256
8949900ba25880d951c5145184f58489c284a51cd38132cc73a89c6127c5612c

SHA512
fdddb40cddf50f0320871c4b6f3f3ff3e5b18007d1860701a784cd9f0cbeb7a24746c273236051f6e0077b396becbcdb66b711b19e14e634e6eb3c455345dd86

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
55KB

MD5
5e35b3c28f03b0f11e319981c870be62

SHA1
522d642f3263a3ea2a7d51a57d1ec5e79c2463dc

SHA256
c6bb95d4a691357a8c73452b1f2828e12ff1ab19e035a0ae3d5dc9bf3387782f

SHA512
b26050c598cf3b6d11aff6bc29f8e1b889020d31d15b14a94863ec46a8b3ec60c2bddc2959c256fee8126e31051c0898b7075e5bc9df0b207ed6bc27811cbec0

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
55KB

MD5
a4440b4ff024e94942822d9108562ea4

SHA1
91a03794d7b2a85e9bb8e775e20b00c7f6fcb9d2

SHA256
526c77057f3688d674dd6549971bae4c797d9b024f1873e0d9ccd60e92419831

SHA512
33b8d12bd48676fbb28a098cac6240c392077369f06a45a077b736c293ff090bee2216680ac2fb9d77a3cd682ea811019e10b07bf0cc1ce896673658d91a73c2

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
55KB

MD5
0027329f856c868895a4337afbce518f

SHA1
45d230fb51879bf788c773b9b747b023f60e478c

SHA256
1aab209ff178c343a5b1b607a6947cb4a0f9756f6157f76f903eb77468701721

SHA512
a5bc282a438cb0267d05ff5cc09a5783eb1ddd0c6ef61e88e75164b49d39adf8f1cdaffd67d6d47287622b66c2e08341387d03895ec9c0e90a75d4b921cee34b

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
55KB

MD5
c93cd59d4c6e07fc955708e7d562a5a1

SHA1
80ceddc92be5fd48f98f2c1dc2b78a90ecb82282

SHA256
4819959efcf7d89f2873def725a3a10b2d8f109cfede73f9bff0eb613d944316

SHA512
55b2f2d7f19e761c4a0609131706f2af7dfc838a4c15079f65c2894a617e10b39a7386cc48c6135357abb12e38246e94f636e0e8de9915fb5708aac3f8f5cb5b

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
55KB

MD5
0b4ffb1da496f145802f38fe38df2382

SHA1
ef7a315fb7f575d3d306297047e8efd7dca9feb8

SHA256
a40b2127720cbdda20256dbadf5c6802101157826a330a52bc8ffe9884815199

SHA512
313951e108c6563835baafbf3396b498eab602da76718ef24db327d3d0ae9cc528b1059ad24a04dd02d2a6ff380a53ddaa99b9eb079e27c6a008beb1d3ded658

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
55KB

MD5
13a110a09b89c15b5986edb22e2c9bef

SHA1
f2865a8b3dd9d8764fc6b869740066c0db61eeeb

SHA256
4f27fb54e4e8c6634838a004be7bbc5f39f694b007ecf9b2429ec70d11788472

SHA512
295fdf0d3a9deb752b6e63543f6cfcd2838054b9c30d6eecc62d46b1166e1cfe1b45ec59c1ee8d04d33650e53dcc91db418ba5892170d71bc7d1600cd07236e0

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
55KB

MD5
55b7b18f3c78a0c3866ffbce602a70bf

SHA1
6ffae9ecab4aad33cce2528b636da1af0e8d7477

SHA256
e7092abb532c2d05cca96c334ed9f564b57af7c4698bfb056a9e6473111ff1e7

SHA512
191e310376a8216ccc1e733052e50d097ccd9ad9cf531d6f17eaea83513f2e0b4e70183fae7a713977b7f27fe594261e3c6325c0ed02bc977f76119c98d5f654

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
55KB

MD5
7f856db8828cd49dac827702a68c1c34

SHA1
4e5c8c48e8c0f296ddb4991ccc9e47c7d6d841cc

SHA256
b7ef4b7a4027438c204d33db4729ee8371fe355987cd98325c992de2fa26414a

SHA512
af67057d38b99266cc78638a7cc6b48947c8960af99a3e5328daf4b47c101dbb4ffdb77a991747c999b0371d42acc8f146a077de0a1109d084a46f5721ba760b

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
55KB

MD5
c8b4539171798b8ac77405c64550387e

SHA1
527c9dd185c05f56242097028aa7a1036f86919a

SHA256
a39d7b5576d0c7334a700e461b2f78ae093ac7ff7c16615745f9023470c12689

SHA512
024eb0f4c6e1d1f01a544526d2886e34aaf7545a099411a30c9cb7033183fcbbc0c4c4f3554eb6c2debd65cd4873bfdd27867bf290b55d09509ebbbaa4488077

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
55KB

MD5
838990068f03abc2b2314ed0e8ba3aa6

SHA1
ed96df911ec7bb41828907def26ec8030436d393

SHA256
2b3095cd65220e0010dd339ad1b9ae96132c76b2ca2018cc743ac4adffbb0e8f

SHA512
dcee5f708a5e978cc8ea493417bf7d1d039a19cb535de5b39e2d2cf637641054dcf2ffc1cf3cd2446e2e8d67ecdafc3026e13c279ac060d80ab3d6ba048089da

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
55KB

MD5
f924caf31c84bb3ac590dacf84a00908

SHA1
daf7d4b260a6c850506c5092d1c32885971fba2b

SHA256
b0e167a5a65ecd6bf71000a3be2dc068aac95c91f79a26f6856437c5feb57037

SHA512
f667a1de766c9446df4f7b2804d034045896a421bb3a9e846653e15e630dd3d6969176351f44fb072b65fded4193ff538a44e1a429d2ee640d0f64f0f3ca3393

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
55KB

MD5
e07fa6b4c7636291b50b091ea7c03c22

SHA1
77e9ffac04b7ec1f76c714bc956ddeef77398336

SHA256
43fdf5a03be9df917152f18f1d8bad2cb7fffe9e4450f035db6dfeff42fb0c86

SHA512
514aa89eac823e1361d92387828ab7b94858a121bd056d31748d558b9975d8713a96e6a250d925967256f8e14e77023d421478b27de8ca6877a82c9e03839733

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
55KB

MD5
a849fbfac61f9bfb5732b1acac1d1b48

SHA1
209f0b7af343f7e3ec4e43372075c687d8720ba7

SHA256
b010fc28919169c09957d47b62f03ecaed28c177c7fd54c69c75013652d55d0c

SHA512
af950851af39bb9106a8a49a6ea0a2278406107207385423f579e00213d2f261c2ccdf136d066a20b0de3900d98164c9424866a712bfc962fbd0275a72249c99

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
55KB

MD5
4142a5a8d14483b1a0c88e8fdace68a5

SHA1
e1cc7b74dc3adf069f2f6d955a7c08f029b5c19f

SHA256
b67d0680ab8882c2f0199108cb3ca2182fa3c12e33d2399a4267e603ee310bd8

SHA512
f793dfd2a06d1303ffc87d004217e1443d5f292db9d091a886cc45afcf46c4f87ba8da3249f640f95d62de09c0ac2f4297c741d29f886fcad257abbc5f842654

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
55KB

MD5
f181b2c8fb382945b6b8370ebf008211

SHA1
4d6a26b3214c50e6645f7eeaa04d9dd33eb25d68

SHA256
424bc447f5ca4cfdaaf621bc97951285da1175bd493238fb8ce335917423ac91

SHA512
0c69dfc94ed921ef835c4c18824879a5f906a156edfc7cc4cb34b478774b5595191782801230a3bf0cae01d90033bde87ae65d6e6d11f03067b738887ce7907e

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
55KB

MD5
e435785359b99824ca667bd4eb1c56b7

SHA1
b9653664c665cca2e60097c1bc1148cbb86edc81

SHA256
6cf5752eb8750fab9c4db504817bdf3388ff3ba55fde852cd0bbc49d21a73915

SHA512
6d47032bf39dc5477f0f2928b9b344a880a0e724a0fe9cbdfdde82ea67634af9f63cb5b592d8b6d9292ec2b8c4a7ec0b53c2b5524b1dd3e99f1772a3900e73ef

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
55KB

MD5
246bd81393a5da1e8fa2d16297bab706

SHA1
b4132572465328f3f462ebe60a1f5b9eeb04a215

SHA256
9044c97aae1e3d92d5a3b209b29bb247647ddbf10736113cfdf697fd964cd39a

SHA512
485800c0aa90883ac1a45632e976223f8e0b34d3ae1cbe8e2f579ddfa203cfe5f0637febaae0af57a09dd8c6ed7755f9d25211a563f126cc5e75ef23940ceaf0

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
55KB

MD5
8387f41d98db57a436ee9b728f15d218

SHA1
e3fcc722efc5c5f80369becae51a7f75ce0361f3

SHA256
43f3ea8390630cfaece499e446432493ab304c142d7be2cf8f1a42734c3cb566

SHA512
65f0d698aba0ef74283fd4996d0e4ec47e54a5f66692122d3fc22de87221c51af39660372425d22fcb9ad1cb1d2ea76e07ab37f0944d5a84a9f36799400d0107

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
55KB

MD5
e9f27a54eecfb8ce2d9362bf1d1eb219

SHA1
3344843c5f08b9a7e1df003bbe1b07f4f2c87a2c

SHA256
c7565480a4e0e5fb54fb58ec76875a738d09ec8aa12407f4b2b0c9eb64c2c0b7

SHA512
187ed2ac33f15835d11615d7ca5b01a35343981f3fe5e30d5170a78f6ca728d8492b0a30a41ac02b75d546f660dd2fa78c4fb9b3d4473a12a38f47d59a0e9dd9

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
55KB

MD5
ea3d614045601de0c793b9d8db088e63

SHA1
e0bdb39b483af6599998737cb795b04d9353a7cd

SHA256
1e77c180aed8db2976b9f6a0bb5933d109874a205b2bfea597b7fe3d40268632

SHA512
da38408f7527fc85d9d18d9a48f1c54edbc4ac7b6f4d7f311d3536337dabf44d1e6a283fc32a0106e6cfff94d62408eb36d02b517d2879ea5a4985b5e8edcfb1

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
55KB

MD5
288a9ba096b7f76541ea3a7d3bb151d9

SHA1
621f4a18ff2bd72e3599e6a2be2ac58b1686adef

SHA256
0feb007515ed2884498191c8847b405537931d4ef2ee4b24ec3b44b984aeba85

SHA512
98c490f649739d4dd4d80017ebc9a8d4204d5cfc4e8a0004b4c13eea6c367bba243817bb8769dc97d3eaea6d0a1461620c67173d4e79a03876cc3e0ef19bb4b1

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
55KB

MD5
11bb2b07ec871d60484215f1fd124eb0

SHA1
ab459415069174edd437b0ce2d034b6b38810a58

SHA256
0823f7f71d02d6f9ef925e1f24f18b66dd86d635f3caa1e0573d2eafc772b6df

SHA512
52704229a8ad91e7ad34eab11db7ebddab6350db13a1267413f05109ee2d4586b8e63ed7cea50afb52daf3d370580973c710168df7fb1ad10211a63f2c8f73fb

Download Submit
memory/8-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/184-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-964-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-937-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2284-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-932-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5724-910-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads