8a596a80ceee7124cdd655261092861002caea6a93b201eb2c8646c7c801e5a9

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe
Size

90KB
MD5

28d8e7c077cd82117df29cfd29583740
SHA1

ae8f8eb097de1a0f40fde3c7f2cc8b8ca60152c9
SHA256

8a596a80ceee7124cdd655261092861002caea6a93b201eb2c8646c7c801e5a9
SHA512

8ac801a2c89603f76e3530991f304cf30035b751947e8c04aad044ab77cf87b413bf4f693891b7ae5f0b2ea9e29dfdbb1b102831a016d23f20d9a1bf10322bdf
SSDEEP

1536:xULRMVbNc3guIbFO5ROf2yeBJtHMY6nzSU7N/Gnu/Ub0VkVNK:KLc4zIbc5ROR6TMYFalGnu/Ub0+NK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe

Executes dropped EXE 64 IoCs

pid	Process
1368	Ehlaaddj.exe
1660	Eofinnkf.exe
1680	Ebeejijj.exe
3296	Ehonfc32.exe
2108	Eoifcnid.exe
1100	Ffbnph32.exe
4544	Fhajlc32.exe
3952	Fokbim32.exe
1344	Fbioei32.exe
1568	Fmocba32.exe
4812	Fomonm32.exe
4244	Fbllkh32.exe
396	Fifdgblo.exe
1852	Fqmlhpla.exe
2068	Fbnhphbp.exe
432	Fihqmb32.exe
4560	Fqohnp32.exe
3676	Fbqefhpm.exe
1384	Fjhmgeao.exe
4464	Fodeolof.exe
4780	Gfnnlffc.exe
1980	Gmhfhp32.exe
3464	Gcbnejem.exe
3300	Gfqjafdq.exe
2380	Giofnacd.exe
4136	Goiojk32.exe
4352	Gfcgge32.exe
2480	Gjocgdkg.exe
492	Gqikdn32.exe
464	Gcggpj32.exe
3008	Gfedle32.exe
2224	Gidphq32.exe
5004	Gpnhekgl.exe
1912	Gcidfi32.exe
3808	Gfhqbe32.exe
4996	Gjclbc32.exe
2156	Gameonno.exe
1776	Hclakimb.exe
3044	Hboagf32.exe
1704	Hjfihc32.exe
4324	Hmdedo32.exe
4252	Hbanme32.exe
428	Hmfbjnbp.exe
1164	Hcqjfh32.exe
3784	Hjjbcbqj.exe
4284	Hmioonpn.exe
4340	Hbeghene.exe
3868	Hjmoibog.exe
928	Hcedaheh.exe
1772	Hibljoco.exe
3848	Ipldfi32.exe
2884	Ijaida32.exe
4068	Ipnalhii.exe
1548	Ifhiib32.exe
3500	Imbaemhc.exe
560	Icljbg32.exe
2124	Ifjfnb32.exe
1552	Iiibkn32.exe
2456	Iapjlk32.exe
452	Ibagcc32.exe
4976	Imgkql32.exe
2324	Idacmfkj.exe
4852	Ijkljp32.exe
2752	Iinlemia.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6284	6196	WerFault.exe	247

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1368	4908	28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe	83
PID 4908 wrote to memory of 1368	4908	28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe	83
PID 4908 wrote to memory of 1368	4908	28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe	83
PID 1368 wrote to memory of 1660	1368	Ehlaaddj.exe	84
PID 1368 wrote to memory of 1660	1368	Ehlaaddj.exe	84
PID 1368 wrote to memory of 1660	1368	Ehlaaddj.exe	84
PID 1660 wrote to memory of 1680	1660	Eofinnkf.exe	85
PID 1660 wrote to memory of 1680	1660	Eofinnkf.exe	85
PID 1660 wrote to memory of 1680	1660	Eofinnkf.exe	85
PID 1680 wrote to memory of 3296	1680	Ebeejijj.exe	86
PID 1680 wrote to memory of 3296	1680	Ebeejijj.exe	86
PID 1680 wrote to memory of 3296	1680	Ebeejijj.exe	86
PID 3296 wrote to memory of 2108	3296	Ehonfc32.exe	87
PID 3296 wrote to memory of 2108	3296	Ehonfc32.exe	87
PID 3296 wrote to memory of 2108	3296	Ehonfc32.exe	87
PID 2108 wrote to memory of 1100	2108	Eoifcnid.exe	88
PID 2108 wrote to memory of 1100	2108	Eoifcnid.exe	88
PID 2108 wrote to memory of 1100	2108	Eoifcnid.exe	88
PID 1100 wrote to memory of 4544	1100	Ffbnph32.exe	89
PID 1100 wrote to memory of 4544	1100	Ffbnph32.exe	89
PID 1100 wrote to memory of 4544	1100	Ffbnph32.exe	89
PID 4544 wrote to memory of 3952	4544	Fhajlc32.exe	90
PID 4544 wrote to memory of 3952	4544	Fhajlc32.exe	90
PID 4544 wrote to memory of 3952	4544	Fhajlc32.exe	90
PID 3952 wrote to memory of 1344	3952	Fokbim32.exe	92
PID 3952 wrote to memory of 1344	3952	Fokbim32.exe	92
PID 3952 wrote to memory of 1344	3952	Fokbim32.exe	92
PID 1344 wrote to memory of 1568	1344	Fbioei32.exe	93
PID 1344 wrote to memory of 1568	1344	Fbioei32.exe	93
PID 1344 wrote to memory of 1568	1344	Fbioei32.exe	93
PID 1568 wrote to memory of 4812	1568	Fmocba32.exe	94
PID 1568 wrote to memory of 4812	1568	Fmocba32.exe	94
PID 1568 wrote to memory of 4812	1568	Fmocba32.exe	94
PID 4812 wrote to memory of 4244	4812	Fomonm32.exe	95
PID 4812 wrote to memory of 4244	4812	Fomonm32.exe	95
PID 4812 wrote to memory of 4244	4812	Fomonm32.exe	95
PID 4244 wrote to memory of 396	4244	Fbllkh32.exe	97
PID 4244 wrote to memory of 396	4244	Fbllkh32.exe	97
PID 4244 wrote to memory of 396	4244	Fbllkh32.exe	97
PID 396 wrote to memory of 1852	396	Fifdgblo.exe	98
PID 396 wrote to memory of 1852	396	Fifdgblo.exe	98
PID 396 wrote to memory of 1852	396	Fifdgblo.exe	98
PID 1852 wrote to memory of 2068	1852	Fqmlhpla.exe	99
PID 1852 wrote to memory of 2068	1852	Fqmlhpla.exe	99
PID 1852 wrote to memory of 2068	1852	Fqmlhpla.exe	99
PID 2068 wrote to memory of 432	2068	Fbnhphbp.exe	100
PID 2068 wrote to memory of 432	2068	Fbnhphbp.exe	100
PID 2068 wrote to memory of 432	2068	Fbnhphbp.exe	100
PID 432 wrote to memory of 4560	432	Fihqmb32.exe	101
PID 432 wrote to memory of 4560	432	Fihqmb32.exe	101
PID 432 wrote to memory of 4560	432	Fihqmb32.exe	101
PID 4560 wrote to memory of 3676	4560	Fqohnp32.exe	103
PID 4560 wrote to memory of 3676	4560	Fqohnp32.exe	103
PID 4560 wrote to memory of 3676	4560	Fqohnp32.exe	103
PID 3676 wrote to memory of 1384	3676	Fbqefhpm.exe	104
PID 3676 wrote to memory of 1384	3676	Fbqefhpm.exe	104
PID 3676 wrote to memory of 1384	3676	Fbqefhpm.exe	104
PID 1384 wrote to memory of 4464	1384	Fjhmgeao.exe	105
PID 1384 wrote to memory of 4464	1384	Fjhmgeao.exe	105
PID 1384 wrote to memory of 4464	1384	Fjhmgeao.exe	105
PID 4464 wrote to memory of 4780	4464	Fodeolof.exe	106
PID 4464 wrote to memory of 4780	4464	Fodeolof.exe	106
PID 4464 wrote to memory of 4780	4464	Fodeolof.exe	106
PID 4780 wrote to memory of 1980	4780	Gfnnlffc.exe	107

C:\Users\Admin\AppData\Local\Temp\28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28d8e7c077cd82117df29cfd29583740_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\Ehlaaddj.exe
  C:\Windows\system32\Ehlaaddj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\Eofinnkf.exe
    C:\Windows\system32\Eofinnkf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\Ebeejijj.exe
      C:\Windows\system32\Ebeejijj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3296
      - C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:492
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        36⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        39⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        41⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        46⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        50⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        52⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        54⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        60⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        63⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        66⤵
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1484
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3268
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3040
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        74⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        75⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        77⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        78⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4708
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        80⤵
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2820
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        82⤵
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        84⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        86⤵
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        87⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1768
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        90⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        91⤵
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        92⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4120
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        96⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        98⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        100⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        102⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        104⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        105⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        106⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        107⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        109⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        113⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        115⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        117⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        119⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        122⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        125⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        127⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        128⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        131⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        132⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        133⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        134⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        138⤵
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        139⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        140⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        141⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        142⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        143⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        144⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        145⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        147⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        151⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        153⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        154⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        156⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        159⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        160⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 420
        161⤵
        Program crash
        
        PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6196 -ip 6196
1⤵
PID:6260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
90KB

MD5
f7e4591b5666cdfd151f68f6f2ff9eaf

SHA1
5a28c3878b8b28862cba8ce86c0e01cc4f9765f2

SHA256
999c2c9c567d4c6a8c96c187d57c3dee1f1d396a61de1be15e4d548750375ef2

SHA512
24ecf95923a925c30937e7ce07ee87ea58208286c5f94fcd284423f9c0f9eb0127b0bee2c570fc65ba1c538c73f8dd30be7d92d808027d2ca3ec621b2a3d3103

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
90KB

MD5
e686199f0708678d17171fddd0105d44

SHA1
5d08801eb14505e6880ee33ed6e81946c8cff7d7

SHA256
df44df596b5c93f465099ba25440e6f5a218bdc2d2e1857d561b9f0d8ad1d52d

SHA512
ce7fd87f20ff5aecdc6ea9501f405d8cbf317282bfeee010e2427584a56add1c401bb704f01ba234c0d4a813567aebb8f229ed8f74120ece979cde670e62ad35

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
90KB

MD5
244f2dc11a4ca6f3027506f9edce77b4

SHA1
aff865885dd16bcdf094e4d5c4a49e0dce21bd9a

SHA256
bd5fe494757cf36ba11fb30a0cd26dbc93345cdbce9ffc12c16ca09a98059d30

SHA512
d77a17c321a7fa9a72f083835708da18852fa2acb9bf747dd7e8248a5cb619477a4514f85f8b9d51dc403117065a85e3c4edbc554bca72cf4b80c1cc2dcb1b3f

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
90KB

MD5
db4c105db27e16b87e78addbf1ba87ca

SHA1
1924d48c336b3a979d2984e49d732901df5695a8

SHA256
c17efd9263b3b0cb00ead0473b0f651ffb54729dca87a94b016239ed5075dcfb

SHA512
f1fcebb1381c0eca835d026d73abc3a6cc91105009ef9ef749232485c95dd46bf80376c47b47d6850bb005372da49bcd69ae19af1ad6afb3e9002af4d7ac6c35

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
90KB

MD5
95d84edd61cb5247c291a3002780bb95

SHA1
66489cebc9ce103f4cb95d58a8de36e1066c1492

SHA256
d315d30f6d6fd408b1ed146d6926e488fd9518cd1147034304e002d6ce69cbef

SHA512
39f0cc045fa4dcd02720b45bf07dddd85d05c2e23a2820d70b59df240c37cf6ce83d454403210697bf7ce2a58a79938c9328f59f1bbb44341e81d2b1d9092ac2

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
90KB

MD5
dd2327bcb1a1dcdc04ff76ec9f68583b

SHA1
bb1aa6adea281acd204d0fa5682de8de48ea6b48

SHA256
12f998a7675b9dde3552f002b0a4d71cab9f63f38d95d0c417158f78a9d28d3e

SHA512
2d3f3e8ed526a25090696a19d661e781f01e735ee4e7d8c11c31f5fe8f30e12f88f63d764d7a838d2bf68e30d960385d144cee5cf24c676e90113b8ae455ab97

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
90KB

MD5
3e3fab0a2f7d1f23fe6be800e6b4b5ff

SHA1
11af5e026046397891506918e5c48cc1f2ace156

SHA256
0da7a825916fb66cf676e477b206211b65e12467c4195baccd6b0e8d1dc4ec71

SHA512
27c508b6376588250b108d20ebd26aa38069b3129950370cde7af281c64f5261de016362ba9e8c15cba2dfa644a2d2f458ca5e6aa1b22558fd96be2274d30143

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
90KB

MD5
a0052963e57d1c2a120f8c72fdc10ac8

SHA1
5b20ce845a6967880765f8e273011c0be007c3cf

SHA256
0b566b89de632ae85a926a7b5116c2bc3666822127595ed78c367ac1b24a2b6a

SHA512
ad96c38972b95b5f6fd5293854ab02ad6206cd2c9a3ffd43e062b97bec20db6f09a970321291fdea2124d1e8718a7ce91d84c577dd8cc9ae27845a8d18cb5618

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
90KB

MD5
cc5e4393ee3df0dfb142e7f67e519f7c

SHA1
5939764c6dd8a1d07cf41859355ad2857ccc1f5b

SHA256
046c889d3e1f3f738c002cd476f0429be60f9e664ccc5f1feece21baea2e572c

SHA512
0f487206eb618065ea0b391f1feb5017828fd99f1652297999da883b01904eac37f5c95093b57d778ad3bce268781f59040b9d4acf4f71eb19a071e9a4439df0

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
90KB

MD5
1536ee280d1282db9363b5eaddfc26ad

SHA1
b9f7062a7ce094d65fd7a5c3376cb4291e914c6f

SHA256
cb31fba89a86d377af8541db7355c2a4c42792c0aac17d3c15065af76b4e99b9

SHA512
d5359a65eaa7ceac4b83de3633ad9189f096e91ba7ac660e9aefb80c2191c219490df7314c150511ad809395be886f966084bbb6ce5120e29a038c4bba2c9189

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
90KB

MD5
79dc28b74bb8b6c4773afcfd6ea2bb08

SHA1
9064944edbea2cbcd7258e046e28e192fb5b8311

SHA256
0330bd68126af2bb962314f1f9550a782b2390a5f28cb5862fcf80995b556a58

SHA512
72e1dc3ed3d3cee830c433836453f007fdb0b6bd6f8d29178e1597388db9bb2575e4b77e2774a7f928b0ae97c6462a2cabd7459b3506ae251b193d16b484490a

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
90KB

MD5
172edadba43a96614f85c6df818a1ba5

SHA1
ae9f179571d62416876d620b3c65b56a575632f4

SHA256
102d70fa9f48b334b066a90fd7969166c6ab09361344748498527b4af5366c1c

SHA512
84f45e7826c784257582888acd299d270afb1baaaf01dcdeda04a37a8ade209d973c18c3f6d24dc72fd180cda5dc967f7d318b26e9e214aa479dd063836735b8

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
90KB

MD5
83d8fd844b58fa93b53a0c5ee7b802a9

SHA1
f5be8349d08d38ab47f021477ad21df07e38431c

SHA256
277c3a68675dbfe2c77c73772926bfa71f66873612cc712f9195b9d32cdeace5

SHA512
d28c47e209da7ff9d35dc2f702d6add768a658305d0a25d0cb6cfea88a206181aaf7ded9fee1a1c72f29e221e74ba2acb14b214612e2452d17bf2f94fafff968

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
90KB

MD5
1713d39dde7b6a6a888a0797019d3d5d

SHA1
6cc3472490a43f63927cdf62eb4b76897ee0bd0e

SHA256
8cfaf1a37ad9f78b148216abd4abd4bbb4bf7b1b8fe3e1343bd828a74148a385

SHA512
d94a5768176ac901d6d6273b05b8e8c2c98629987608c2da882bf5cde0e9a592305c20f13875151b6c38e2a1a0946c9cb65bc814b1627c1536730ca237c45851

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
90KB

MD5
0e5356e4c7b507606e0b3eb054f06f3f

SHA1
6988c0347c868cda4f1a9c4c226c6b34d59414b3

SHA256
cd7a75a558672250e79cdcd710836a42bb719a2f628e9e0b0db01084db0df639

SHA512
30bdbd3d50a7d8529108c8f30c95dea323b938cadcf0220d7fde234fdccd5aa3563cd1723c52b97dbdcc635a3e025ab09944bd9486fe998494b4fd92367003b0

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
90KB

MD5
5bfbcaf8d333207863835d6e991955a2

SHA1
1b1fc5fcc71fd1b902c7a311884ac18710553860

SHA256
6710f97b3a6d42a3527af426ead58ba49ef53c6e24f8ad161585f5ed3a6609ff

SHA512
650549d64e303ec59929a665388c08fdcb9c94d55ec2b4233a3406ff9aaa3790593a2fc476b4b755278c8a90f843f17b99ce2d9b9dd25da99708da3849261201

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
90KB

MD5
6b02be412aa2f60f9dc227f06475e457

SHA1
7dd1994644c1736e4bc1688e92b5f82f98d4a622

SHA256
e8332fa760e29ead706ce686add5ca603c206b35313ba83d9e34516ceb86fb7b

SHA512
84a49b939f201438abda5b42d7c65790cb888e87413c7caa7740b3eb9e0a4a498f5c82b573227c2eaee4fa3bcbbafda1534ce5e5237785f64c2c245efb0cf2aa

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
90KB

MD5
26dde88b6df84d98bd35ad89be1e908c

SHA1
5354527e7398c987b13897ac580c7bf44d3ab943

SHA256
aab8097a011e70d96dbe937d5e255e9850c238e4331c450ff0df49566081f457

SHA512
ab08bc659ab8924095918504dcf8d961137db7d1779f9683823018b86c2bdf418fc33f848183085474664f94a45747c8cf8ea19a8c3d3e32910b571833081f59

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
90KB

MD5
1a21509c9cdaea02084f73c1150ff4f2

SHA1
4fca6d0fca3b61854badf1f89d9e8a456a92e134

SHA256
2aeef7443ffdfafacf532a3c634ee647d381b9cd3f2753b716ec4733b7d66b21

SHA512
7d7877f3ca6878b636c2cb1beda9f3d286d66e6872974bc55ee1af1ff815b4ba4ea2b83f6d69723391d21d0b8236a48b5d7f442dcb214ea62346424942e4214f

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
90KB

MD5
3604a6d0ef17dd588f1f70466f180905

SHA1
6f6ceb41c9d43b6b573b52599014bba9160e4e71

SHA256
8ad816bbf13341bf9847f52b659d96f1dfc5e7815a434ab83a09869f8d2acc8a

SHA512
e7819925d25e9e2fcec62125e0d76dfc02cef145ae4ae76dbba3630a122b480b6686f09d780dee792d281acf84fa9c78c85305f3b37662511ba5cb2dedd6acce

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
90KB

MD5
d4159489edd943a33927125f9793a6e4

SHA1
5bc4481c47fc708044101e5ca6be47f829c32b04

SHA256
7452b06e36a4da57906d956b86c9756844e64a02c85dfd7fda50f0bf08709ce0

SHA512
7cb457adb60ce7cdce9470d85f0b523d2ef87e223675615a5da82bc8935e6e68046a1af780bafe9d1df67e9776c64080115fbf71231c3d2849331067311b6423

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
90KB

MD5
f3f47891873e044f52009490cd7ce4e1

SHA1
76dc5c0d89e2b900fd33aebeb9fd77476c4f1f9c

SHA256
467d155ad802afde4c96e1addbbac60213d80869802987645cf586918aac4706

SHA512
18fee664d55e06d6d3bb6bce4b2b197de33d2993790283053313df44c5cddefa0f36562f56623d0397b9ef4041983e1fa09a4d44fc474308817fd8333a6cd0ba

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
90KB

MD5
4e2eb42a8fe2725ff53f9f52e7599748

SHA1
faac3697f467ed7698e063cf87643eaabe6055c2

SHA256
b9af3a1aa98b16cedcf822e4e8c437c7b024b552b30dbf72bd6e1a1400ac3a5c

SHA512
82ff2badb6e0c785abeaf75339e8e1b37e2bf7c8914b298df9f072d8fa83f401bc789473d16746883b1a4e14e79361873970815af696ec0aa10de41de45c065b

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
90KB

MD5
f1e89ce7cd5ad8096d9dacf089f9ecb8

SHA1
82f85d99a2c50cd10ec4f6a65c7e5e6c32fafe50

SHA256
7a2a767b5b772e36c2d13c4acce383c663c04f12c3708019ff7b33e6e1a05238

SHA512
61f9551c1068ad0528a954f9f38f0e73456e31f084cd15d5ae9b31e46059400e2b8fc4ed54c207bc18742e1f3232b22ca8bbd651b13441113f3fcea537134d38

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
90KB

MD5
194f49b12fd0d8d8fdd6815b8406be20

SHA1
f8e46ff7ce16ab1edcc944e01967f5161a376213

SHA256
df895240bfe671f82adc1ddc6f78227e9403e12505f3244fdd3f36ba3dba9305

SHA512
ed70a641fd3d921a4d2d8baf59b1e0af9ce7913954fbb414ffd5153f10bef71fc5775cece2888fe0239e6f70c39bdf5721f56ebff397d68d67b593466f6b3ef4

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
90KB

MD5
7b6dd401a907c8b3d978c298e57805ac

SHA1
e112d1aa781d88b793ab7c538ebd64d5ad12ca38

SHA256
488cb3b4161a70ec652f375f36bd0cea9c3efc958a88314df9036eee5f935514

SHA512
864599d6fad59ab8e570ce1d3ff060bc9e532498d23b2025513bc066d4312df749e8865040f7e665b7cc8d741e0a47cf0eb57fd8f017b8ade5860909f72f53ed

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
90KB

MD5
344c517f599b78293a6f6dcdaa12825f

SHA1
303aa9a8e9e549f1a8f5954a9e7c71f1c055d3f1

SHA256
96ccd40b742bfad0510e0b14aeb5d50b29fd811db8b9161b2b82d4dafeacaf01

SHA512
6b65fb0e26e1c87bab44095c258c89d4a578718f340bda2dfe76947529585a4aff817cfb6956a3f75cdbb8f1a8c0f344aa831dbc86b27179577c92f12536f7be

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
90KB

MD5
93da9e7a13cb6059d76eeb41a950fbe4

SHA1
291a58544d4aa0e56077d8fce7056fc63eaa9119

SHA256
79a29d8613faf0a433dc3dadb3c379fcc75fb92b420c384e98b07c3d46bc024a

SHA512
2da8eb78b59d866bc560baceb886a24f964c673e4b36b684cd9fdd61f738ef392c2ebd9a9d4593e784c75a50382747ed2ec4c259777f5a15582670d67e60b8be

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
90KB

MD5
1b248f2702cd41b23daefcd8a9fe8779

SHA1
68e0f5ec4176104d5cc46e9edb23dc8d8b488387

SHA256
1a4f899a6e146fe0fe76209680e5fd56399a142b023dfd79ba13483b249dadcd

SHA512
168af3e23528e91673f22fbf295085da831b4d6f395917d015cd96d3b97732861164bb19ccb32bad33c78b14badd7a4ed09f3b6b16574233adb0a9fd65120cad

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
90KB

MD5
e28d51068ad1aa1269cb6e615429793e

SHA1
488fdd5093598f18b213c5b47ee82eee00a01bb6

SHA256
71c075c0d867dab2d8954c4bec2dd75de98e608cabce5f8fb44bcdf978e0eb7e

SHA512
8d95e87b75991fd869512de10a4b7100288c4b4781336b5b00dfcb624ac505853ee6458da524bcaded99e1772acc050d3d9f5c79d179b406990fd60b91f1cade

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
90KB

MD5
ffa3d757f3bab8095c27f3e0497d2735

SHA1
bdc0fc77d91f609b1e97d683d92391d425c422df

SHA256
74e550859fecc164a89edc92be0336c72b1926d299e914051d851327c22aaf74

SHA512
40c12e3ac0e0a565de350842b8b0ffe98d21bc4fcc4c7d33b78415fa2ca3b4c4193be04714e3cbbd99971f5fb925ce6ef1d3be8c5199f39f72400cc3a671bceb

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
90KB

MD5
ab58360b164bf386ebf0696bd1d9be13

SHA1
2a61c7859767f6e168d57fbb64c682c4984ead7d

SHA256
f1c63c5304dedafe525d078f12fb81fe2b7ab39650e10f1026778034d9f262d2

SHA512
2bafdbd7d09b36648622e943619ffb582670ad0c7bd892c0be30ec3d94b7142aa9d140c7574e511641c01705d0e845b0db3e3e5f3a2d17b1f6d3b12b3e7759cf

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
90KB

MD5
45c4dade5d8719e30dd78d8195ce7da2

SHA1
2f1cf5df9019e7289a2ba9b02f959e3bc3239c69

SHA256
7bc04691404e7bcc6f27d08b7404e15a18a598efd79857eca0b89060626290a9

SHA512
6261d9014e5473e0de73a2e8ecfbf9dff1ffaf1fbd456a8daa5d0715e9d2a40b481682355f6a35139538f1c543719723a4bb663dd260294f1642fe5b31f25946

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
90KB

MD5
07b68ff39c41906876ca4b0eeb0483ea

SHA1
fe57d2e033c5e7f62d20b41dd032fab5e55f0d6a

SHA256
e5f810f39459831fdf775fb10951b5419d7f4b19492e43ec1f9be801346c8a9e

SHA512
f17e93d3533f9111d5129bfe03c4ed7a6c4e3ff07b4d303fb0b2e207969b2c3323a0391c9ea94decafa7562cf6acd9e601811494606f3a1a394e1d9a1df8b988

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
90KB

MD5
3e326e3f97027370ccd84b3f88f7d129

SHA1
31a19b1b6aa31000bcecc772f759dae10da2ce24

SHA256
e330dbb90796d97e2c31094b05263819f18cdc763fedb8486a74f47cb46d32df

SHA512
88b101b18ab1ecd342794dc919218470440bae9f789c0b2146d58a02b1baca901ea6f49446078ea8366711ec57fde05d9411e34bd6c61d7fd7cd042cbdd217b9

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
90KB

MD5
39026fed325b84763a909b080dcf6d41

SHA1
99369fe21805faa5bbe542ec9d9d942a914a0279

SHA256
acb99d9f61f03b798edab613f16e3eba17a6037a4f99ab0b35100de733aad31a

SHA512
b105c482164b5b869d6f5e4cec90e6bf8943ee565a90f9b2023d99b441e1bf0f1640a94d925b5d3993fb7f1e8cd7fe3850967bc1b48ed3d3acfb3add615bd54a

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
90KB

MD5
3994a63f0154a397ef3186fcd11adf85

SHA1
61aa879099c31912bc6eee91aeb5d21892c4741e

SHA256
aaad89b244e5aefe3d40493343bce869c0e4dc596cb8f7c0d031a1c5ac257feb

SHA512
7ed20a5ef84a1b078483ad0a1eb9f470789c092828bea3bfb976402e940c89ebc685ea7dd617b29b1be45960bd5a0c9b1a531a40e18b17e48277465b55d1c303

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
90KB

MD5
d4e2b8fb52c3107dcd22711cf46ad3b5

SHA1
36e3aa8acab506548ce3aff5130776062bc91e14

SHA256
36bc3f29c7457f303aa5d7be2d4c2d98c4ffae1f763fb5a98aa5cdb6f1f45a4b

SHA512
9ba5d1ba47debeb0d3cf01700d93ffb9ab6500b44be3e0c8dd8ab2ca4b304255bb9664b78a4f04594d8d54f44b09f51e9eb92edeebb92b59bf48774dcf9f098d

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
90KB

MD5
7ff8020f43a590d692f30412c999bf36

SHA1
8ca0948b0607d7f8c8a0c687503f2b5d2b281582

SHA256
058b495c74c4299c1c5c881ba58ab530348157df76d50dfe6e9c8fe03fda366e

SHA512
c74f42cdb8c51bc1e5c2150a3227dfce599dc2b85045e9979ce1acbaa087a2fb0108731f8cc2915627e1e2101d01303b08f221a13dc4cf4db95eb5c27c85d04c

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
90KB

MD5
380496d026aa7fd718e84fb202c3d746

SHA1
222b89779585068bab1d066aea5656ee17914ede

SHA256
38fa27f4f28c98a4fc8f0264b5029e091cce658fa6a91e5c078704acdab659af

SHA512
256c0eaed0e8a251d690062ad8677db4703fc1e6c28efa00a57b4075dcbdfdade9a83e82ad542c651127a34d28e168be8a38f4e40d24ec1256aedc4b11533eff

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
90KB

MD5
35d8d9c8bc4311c4b83eadbc463eccd8

SHA1
5dea676b6e869180f583885738f21712e73d5873

SHA256
d9d464e60eda6f818ee158e4149f72abd14a01df018b2f1d8b43d89e5e20057f

SHA512
b5423ed3bba1e00c5fec600160b9344200beb0305082a5b47ececb5c2a848c85c7a54c1cc72395a53f329575a17813d94abc10671b790f2f853dc111e34b5478

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
90KB

MD5
1c07573cf011a7c7e8c73c4f6d33cc0a

SHA1
c8c7202f76b9428f9052d80dd61df91eaaf388e6

SHA256
0b25de796c873b8cd75146f8a90e24f80704d94ee3238d864ce11a63a42f9451

SHA512
64c1b67118b7f2b05f83f3dbedddbda01599f6bc264db2e8a8e400c67449f995b39907fd654cc01b777f9b8f51c0e20d538bb153a71ddd6c09f6272530ed5261

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
90KB

MD5
6a7018280e07a337e5903349b0a54ba5

SHA1
79d26960c623435008f4fcf905c85676b1430e80

SHA256
318608ff6af956566e3f74522f5db79e51b59c9aab6b5dccbf8e04344bf9aeb1

SHA512
1bf7c9ea342a79a684abda8da629fb2d2ea1c1786f1a284e5d9a94acfae91ecb87e31558a9eaa43960ae5951008b082893d159e11029bd0c8b246f1f57a44bc6

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
90KB

MD5
cd6d0b3dc69980e384594ef94d98d478

SHA1
ef29383badf9ea7b18fa75dfe049a4e394168219

SHA256
173f5c5d88a3397d7bab46bf24284d730e1e07166b5a11ecdefdab82aba849e1

SHA512
554d5361c51712811d4923f09dc75e070d73bd940a6a31f96de8ebe508aad64e2cd85ff879f8df3a99d4585565658b46757c2653da03da71dede6800e43d7f7b

Download Submit
C:\Windows\SysWOW64\Ppgjkamf.dll

Filesize
7KB

MD5
cfe0198005687cac4a96ee33ff9e0147

SHA1
eb9c4b66779e3cd33c815c846218ff7aaeb07e79

SHA256
851d0cae7512565431abd25314fcb8bf52d3cf112a12cc3a711974da214d9b1f

SHA512
61e1d66a44915d8153b111afdb7d883ce1d6da3bdb6d47a88183bebffdf84bca2fa93cbb4921c0f6155cd22fcee534fa5d6750802bf5600be3451aa7eb5a25f3

Download Submit
memory/396-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/428-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/432-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/452-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/464-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/492-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/560-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/640-577-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/928-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1100-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1100-586-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1164-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1308-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1344-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1368-556-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1368-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1384-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1412-525-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1472-559-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1484-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1548-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1552-417-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1568-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1592-470-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1680-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1680-565-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1704-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1772-365-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1776-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1852-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1868-454-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-272-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2108-579-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2108-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2116-512-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2124-410-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2156-291-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-255-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2320-598-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2324-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2380-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2456-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2480-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2560-580-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2720-557-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-452-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2820-550-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2884-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3008-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3160-500-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-572-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3300-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3464-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3500-399-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3576-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3676-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3784-338-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3808-278-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3848-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3868-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3952-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4048-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4068-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4072-570-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4136-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4244-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4252-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4284-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4324-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4340-350-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4352-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4384-591-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4456-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4464-165-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-593-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4560-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4568-519-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4708-537-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4780-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4812-92-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4852-446-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4908-548-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4908-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4976-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4996-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-266-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads