98ef725b0591301f1bbea9d9fab20ec14c71767b07bcef631984644ae4b56a76

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

450cef504f62b6f383158e52b3215780_NeikiAnalytics.exe
Size

42KB
MD5

450cef504f62b6f383158e52b3215780
SHA1

972510bccdace26ae685459741d7e699b9f48391
SHA256

98ef725b0591301f1bbea9d9fab20ec14c71767b07bcef631984644ae4b56a76
SHA512

353f3a64e7e854ebabf6fcd045373f0f6da4e559ec92eed2ae5c3bb54004dd23ac069388620e53291fcaa32db4556b017e3a277842e8b6ee23caa46aaf725fe4
SSDEEP

768:OarwS9kB9EtjdChJTG7aBsvJudAkoK9Esav7P8Lp2w/eq/1H5:pcO09lba7uEJuT9b2w/L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe

Executes dropped EXE 64 IoCs

pid	Process
3076	Ffjdqg32.exe
2472	Fihqmb32.exe
1256	Fobiilai.exe
4504	Fflaff32.exe
3168	Fmficqpc.exe
1972	Gcpapkgp.exe
1188	Gfnnlffc.exe
4868	Gimjhafg.exe
976	Gqdbiofi.exe
3200	Gcbnejem.exe
3144	Gjlfbd32.exe
4960	Gmkbnp32.exe
4120	Gcekkjcj.exe
4476	Gfcgge32.exe
2824	Giacca32.exe
4152	Gqikdn32.exe
1660	Gbjhlfhb.exe
696	Gfedle32.exe
4792	Gmoliohh.exe
452	Gpnhekgl.exe
3132	Gcidfi32.exe
2984	Gjclbc32.exe
1272	Gppekj32.exe
4232	Hihicplj.exe
1072	Hpbaqj32.exe
3660	Hbanme32.exe
1952	Hikfip32.exe
848	Habnjm32.exe
2732	Hbckbepg.exe
820	Hmioonpn.exe
3136	Hpgkkioa.exe
3704	Hfachc32.exe
684	Hippdo32.exe
316	Hbhdmd32.exe
4356	Hjolnb32.exe
4236	Hibljoco.exe
2544	Haidklda.exe
1336	Icgqggce.exe
3436	Iffmccbi.exe
1588	Iidipnal.exe
68	Impepm32.exe
4532	Iakaql32.exe
3556	Icjmmg32.exe
4544	Ifhiib32.exe
1884	Ijdeiaio.exe
1452	Imbaemhc.exe
1084	Iannfk32.exe
5000	Icljbg32.exe
632	Ifjfnb32.exe
3560	Ijfboafl.exe
2436	Iapjlk32.exe
5068	Idofhfmm.exe
1080	Ifmcdblq.exe
3980	Ijhodq32.exe
2120	Iabgaklg.exe
3740	Ipegmg32.exe
4324	Ibccic32.exe
4616	Ijkljp32.exe
1096	Iinlemia.exe
3728	Jaedgjjd.exe
4408	Jbfpobpb.exe
1700	Jfaloa32.exe
744	Jiphkm32.exe
2060	Jmkdlkph.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fflaff32.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6280	6192	WerFault.exe	242

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	450cef504f62b6f383158e52b3215780_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3076	2124	450cef504f62b6f383158e52b3215780_NeikiAnalytics.exe	81
PID 2124 wrote to memory of 3076	2124	450cef504f62b6f383158e52b3215780_NeikiAnalytics.exe	81
PID 2124 wrote to memory of 3076	2124	450cef504f62b6f383158e52b3215780_NeikiAnalytics.exe	81
PID 3076 wrote to memory of 2472	3076	Ffjdqg32.exe	82
PID 3076 wrote to memory of 2472	3076	Ffjdqg32.exe	82
PID 3076 wrote to memory of 2472	3076	Ffjdqg32.exe	82
PID 2472 wrote to memory of 1256	2472	Fihqmb32.exe	83
PID 2472 wrote to memory of 1256	2472	Fihqmb32.exe	83
PID 2472 wrote to memory of 1256	2472	Fihqmb32.exe	83
PID 1256 wrote to memory of 4504	1256	Fobiilai.exe	84
PID 1256 wrote to memory of 4504	1256	Fobiilai.exe	84
PID 1256 wrote to memory of 4504	1256	Fobiilai.exe	84
PID 4504 wrote to memory of 3168	4504	Fflaff32.exe	85
PID 4504 wrote to memory of 3168	4504	Fflaff32.exe	85
PID 4504 wrote to memory of 3168	4504	Fflaff32.exe	85
PID 3168 wrote to memory of 1972	3168	Fmficqpc.exe	86
PID 3168 wrote to memory of 1972	3168	Fmficqpc.exe	86
PID 3168 wrote to memory of 1972	3168	Fmficqpc.exe	86
PID 1972 wrote to memory of 1188	1972	Gcpapkgp.exe	87
PID 1972 wrote to memory of 1188	1972	Gcpapkgp.exe	87
PID 1972 wrote to memory of 1188	1972	Gcpapkgp.exe	87
PID 1188 wrote to memory of 4868	1188	Gfnnlffc.exe	88
PID 1188 wrote to memory of 4868	1188	Gfnnlffc.exe	88
PID 1188 wrote to memory of 4868	1188	Gfnnlffc.exe	88
PID 4868 wrote to memory of 976	4868	Gimjhafg.exe	89
PID 4868 wrote to memory of 976	4868	Gimjhafg.exe	89
PID 4868 wrote to memory of 976	4868	Gimjhafg.exe	89
PID 976 wrote to memory of 3200	976	Gqdbiofi.exe	90
PID 976 wrote to memory of 3200	976	Gqdbiofi.exe	90
PID 976 wrote to memory of 3200	976	Gqdbiofi.exe	90
PID 3200 wrote to memory of 3144	3200	Gcbnejem.exe	91
PID 3200 wrote to memory of 3144	3200	Gcbnejem.exe	91
PID 3200 wrote to memory of 3144	3200	Gcbnejem.exe	91
PID 3144 wrote to memory of 4960	3144	Gjlfbd32.exe	92
PID 3144 wrote to memory of 4960	3144	Gjlfbd32.exe	92
PID 3144 wrote to memory of 4960	3144	Gjlfbd32.exe	92
PID 4960 wrote to memory of 4120	4960	Gmkbnp32.exe	93
PID 4960 wrote to memory of 4120	4960	Gmkbnp32.exe	93
PID 4960 wrote to memory of 4120	4960	Gmkbnp32.exe	93
PID 4120 wrote to memory of 4476	4120	Gcekkjcj.exe	94
PID 4120 wrote to memory of 4476	4120	Gcekkjcj.exe	94
PID 4120 wrote to memory of 4476	4120	Gcekkjcj.exe	94
PID 4476 wrote to memory of 2824	4476	Gfcgge32.exe	95
PID 4476 wrote to memory of 2824	4476	Gfcgge32.exe	95
PID 4476 wrote to memory of 2824	4476	Gfcgge32.exe	95
PID 2824 wrote to memory of 4152	2824	Giacca32.exe	96
PID 2824 wrote to memory of 4152	2824	Giacca32.exe	96
PID 2824 wrote to memory of 4152	2824	Giacca32.exe	96
PID 4152 wrote to memory of 1660	4152	Gqikdn32.exe	97
PID 4152 wrote to memory of 1660	4152	Gqikdn32.exe	97
PID 4152 wrote to memory of 1660	4152	Gqikdn32.exe	97
PID 1660 wrote to memory of 696	1660	Gbjhlfhb.exe	98
PID 1660 wrote to memory of 696	1660	Gbjhlfhb.exe	98
PID 1660 wrote to memory of 696	1660	Gbjhlfhb.exe	98
PID 696 wrote to memory of 4792	696	Gfedle32.exe	99
PID 696 wrote to memory of 4792	696	Gfedle32.exe	99
PID 696 wrote to memory of 4792	696	Gfedle32.exe	99
PID 4792 wrote to memory of 452	4792	Gmoliohh.exe	101
PID 4792 wrote to memory of 452	4792	Gmoliohh.exe	101
PID 4792 wrote to memory of 452	4792	Gmoliohh.exe	101
PID 452 wrote to memory of 3132	452	Gpnhekgl.exe	102
PID 452 wrote to memory of 3132	452	Gpnhekgl.exe	102
PID 452 wrote to memory of 3132	452	Gpnhekgl.exe	102
PID 3132 wrote to memory of 2984	3132	Gcidfi32.exe	103

C:\Users\Admin\AppData\Local\Temp\450cef504f62b6f383158e52b3215780_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\450cef504f62b6f383158e52b3215780_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\Ffjdqg32.exe
  C:\Windows\system32\Ffjdqg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\SysWOW64\Fihqmb32.exe
    C:\Windows\system32\Fihqmb32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\Fobiilai.exe
      C:\Windows\system32\Fobiilai.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        28⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        29⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        30⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        31⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        34⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        38⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        41⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:68
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        45⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        46⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        47⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        50⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        51⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        53⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        54⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2240
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        67⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4820
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        75⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1252
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3700
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        79⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        82⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        83⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        84⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        86⤵
        
        PID:456
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        87⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        88⤵
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        89⤵
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        90⤵
        
        PID:628
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2304
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:440
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2384
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        97⤵
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        99⤵
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        103⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        104⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        108⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        110⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        111⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        112⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        113⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        115⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        118⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        119⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        121⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4836
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        124⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        125⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        126⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        127⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        128⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        129⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        132⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        133⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        134⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        136⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        139⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        143⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        145⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        147⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        148⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        151⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        154⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        155⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        158⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        159⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 400
        160⤵
        Program crash
        
        PID:6280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6192 -ip 6192
1⤵
PID:6256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
42KB

MD5
7d9cad9dbc017971470a35e224d73fc7

SHA1
d9af38ccb10838b2e8e53e37e469e20aa624a705

SHA256
db4b733f6c1de42853f3790a7df14b36d94a67dcf6b02e4d8e1f43662d827c3d

SHA512
d0306ce455f5cd4847eab0d1c8fd70a05e34b33a9600eb70c284bca9381e46c4916dc3e79e515d98e83b220b25073cb0b6774d9604e3d26a862a70e6fd371178

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
42KB

MD5
4d21b2ff792adab0cc3f50fd817422ae

SHA1
42f2e82362bd34b2f206fe130e8589626cbef527

SHA256
4a78b216752ae939acaceb1cadc7b40d79667aed4fed6e957963a2331c0f5b2f

SHA512
520b592d4d31d0799e037bed7eac36d2c0936bf45f16a6fa58090b8ae77d08486e12857419c28a4dbd8863e249aa884914ce3cee4cee0340d38eadba691e6b76

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
42KB

MD5
ca0bfbed20cb5d169ed7c1f5bec84a90

SHA1
f0075ec44447a451686ac55a1538ab49dd5f4f16

SHA256
b54cb957f3d99fc5b4b934aaf4915de2c612a032799e6d59d2008741cfba3ef6

SHA512
542766b51093d56c42183dae75cac97bd7ce02062990729494d0151a11195bbebb6671ae9d4b19b79d386f75f72b908aaf55f96d0a1c1fd6b13b3a0d6248023b

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
42KB

MD5
5de9c182ff8262e6cb531cfa51f374ae

SHA1
4e59b82b432f8d0431b0c39c93fcd53f5469731a

SHA256
d0eda81b7d54d8b99c466ea9a50dd8f8b8a87f3278e3f91553be94af6c5762da

SHA512
a7231f59028bc14f977f67d55f94869d76428ed6fb49cdbf830a4318e84983696accb0728ae9315915a2ff0a8c0262cace01187ec79044cfcea2b7a6ed212fba

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
42KB

MD5
c8103f41ec67e07b39bf560da76fcc52

SHA1
6243012ec6e4f0b3848d1b7b47b51e43e90c7c40

SHA256
84d3d2dfc3be427bafdfad432a71de39c5d5f2b10f537252d2c4bd4ef15eaf33

SHA512
7390bcec733669f1237ae206f014eb0c880bce2e2575ebb8fbb3991ccd51471b9edbbae4675632592d78d8319bb49d48337c13c034bc0abb8b5a7388829891ce

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
42KB

MD5
fdf473c26723be164b603fce287126b8

SHA1
99c6426ec2cc4582c4fc51139f6585a652404c0c

SHA256
bb3dd1d1948b2f607691bbdd7cc20960b314d7babe8749260cd560d516cfb2d6

SHA512
a6f88cc42aa30ab8fbd8f3a59dce0994a1e7f4fa975a148388f6dbe1af1f5cfde803c0c90aee1f3d5f22bfbb551d88779553a55106d87154b15ac7eec4d88cc3

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
42KB

MD5
697f206e4453dda3c394eb15546a4a45

SHA1
6bb2fc91a9979a0f1e44adccb41ed4b4117b6a4a

SHA256
dad950299ac5fcb7a20ffd95a39172b50915f3ee79e52a7ff95d115ac6aec78a

SHA512
f3a2195313029a6cdcf1379a8f672371441bf0c89e973e7624d4059229d7056fbc680d8ca257dd3e56d43a855fda9ac8d854ba19d62ffda20fbed32dda3bfda9

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
42KB

MD5
d12c1941117f0cd63be8388e77fdd22f

SHA1
37a89a5cb6051546ca774c252ceec3e7a265e3f4

SHA256
aba309301be6756f8190e36e692dbe2b28345265d998a11c48e5c31a85747d7e

SHA512
ba8d037c252eaf3db47bcb9cd7d6ce366a688d271cafc7194cb2abc6bd0548ac2d30d94848509b8dbf4f0df3f94f3e34cb28afd13b1e0013bb631d818864176c

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
42KB

MD5
02d4718b38a9b4abaae422c5e157ab73

SHA1
5c80a70981af5e8d63dca315333ef82e7f48781e

SHA256
36840e016284522662c67af8efa62270216ddce70ec4e34dbe13fdbd71dfc59b

SHA512
da7af04c6c4ed99b740ffec6646c88131bbfd6c70dcb3b1b2585b0ddce683882bf0c83013c573192b488547f35b25ee5781e34ce1fd1104233f995ec50354d93

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
42KB

MD5
929e3275b27f1783b0e8f9b5c51ee882

SHA1
92cd22123e80af2a71ae3f66b9ce4a1c075a5328

SHA256
dac333a5d364bd2b4ac04258be654ba73bb8187cf963bf1e8cea731f74e75215

SHA512
18e5f6de77a9bb0a3c8f9942d4bdf030a3064fed7a49e1e5484abab05b74563576e74009830cc316610cd49075d8f14cc13350d921654de7d935e59ce361e296

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
42KB

MD5
b537a75c6962f58ce8b9f64e10a76e5e

SHA1
3c79d666ced6a9105674756f8e0be4fa1ef9aec0

SHA256
374f4208eb1ff8a0d6d2bf55b2b0d1582441aa3708ea368defa07efb9699342b

SHA512
54f302b9a9d414a3bae400cb880f5457d7dcc63167a22a7bcaaddbbc9ddebfa0fc469f6fca38d46c4e8659192f4f09c669b345f87e279592922e080561a8c441

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
42KB

MD5
c52e0db29b836836e7034be83dd69312

SHA1
27f87fcae672c033e1addfe0365e0ea76bed49cb

SHA256
449a8a221e6ec0caf8bd53a5b7ca5db0d461b6a544b095fd9ab1ae27537e4821

SHA512
5a752edca1e4b72019e449350b347d0bd91d97793a28be9ba77e2066db7d6bb7ab0b9bb9e03227c27dcef26eab2db501841d297b47330298bcf7f7ddaa761cb4

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
42KB

MD5
04944ab03a22c7b7a6e9c172077d2f7e

SHA1
9d3b0da0beb4a98b6ecdfeea05941b70d79da7ae

SHA256
653f48dabadc76009a2faf0ce02b0f52545526a1cede1b0c35eb70fa6c9855c0

SHA512
1facf4c86b4c4e85e6f8f43cfdc9168af81c5b417fb3c1a363b8a1ea58082dad859ea61bcbff2d928c59c74f6eda39ddbf1c38f25e11300beea5e2ce4d0f031e

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
42KB

MD5
5d1db1a0fe82f2f825f0572ddd6fae33

SHA1
58e51a0230cdd20a6d9dffea98aa346596875497

SHA256
9bbaa9adefd4de51ee609798708103585e99bcb2ec4b80c8997bd58f57fc623b

SHA512
0cff74e3fe21fb4d866f307d7b542e989531bd1f3c82b167b4590d51c6e3e5b77d7d844f5c747c17cd1dc685c23f552bd6afff62b8ca4d3f2f9be1006a505f9c

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
42KB

MD5
1dbd70e5af7fb6a7fb177a9119d77afc

SHA1
87315442c3af8fb603d154f65c4dc3e91694def3

SHA256
7cc36e26a786aceb0c60938db0477eebcf15ed357ff7f7d861f8d0f7685a8598

SHA512
edf2a5d57f9429fbb3b77625c131bc7f2cfc7d4c90721821bf5eb30d50b51eaa0006d5db5e2d86f472c649f099fdd687b2049d2cf79225d3981d853f9cee804e

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
42KB

MD5
9c3276c851eb8a045fc096ddcc9ae73a

SHA1
50be7a097acbf4c61b809865bd083ab932570e09

SHA256
8d35d22fa5ac6c910307891940ac9c0f14b8bbd6fd9fd5ba3719227a9993c745

SHA512
9b57ad1152bca4c0e7b62f95caf9627cb862b28815e4ac8c4b341c611551549b177a875450ecff0b0f2410df2563a453006f16fff6e337061da8c6d638d0703f

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
42KB

MD5
749eace385947ff7a53989dcd39bc668

SHA1
2ea6b98c581c69afe608f880d1b5d18118aa994b

SHA256
6e4b7dd988ed151eac07ca5583a78e1a158da98b2a230348dfb0bee368d6f4e3

SHA512
c9db5a405823c1498cc1eeb1a3d2d3b0e3a01fb977467e57384aeb295dabc23d92c7a53706f64889786006ec0925175be8fdd803c4d09ef5e6fb3d6c058287b5

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
42KB

MD5
249ccf6d58ac99cbed141e16792be4e9

SHA1
00e828ca615b63a110a13619b61b37cbb3d36664

SHA256
b02dc63ee7f9a42ca51f678f9e74e2cf9fd5d7a5c13af059ce1d9f54ef02c399

SHA512
c3ac39082bf6f14fc00c1bf4e631967fd0896624f69e1ddcf90c0ade050833de92eb07de9b1600797a4e0c7ab17342606733572918888522dde210bfbb890cbf

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
42KB

MD5
21450570b0b9e3579daebcfbb3d4b8d9

SHA1
3f6ee8d3b1ecc526e71f903377c981acc29d7448

SHA256
b1e5011ff70c1e30901307829b7aff2be669dafb6fb7e3c8432e558cd5208aa2

SHA512
1af20502bd1b65a24a5c44755e65228879a58c6c0366e2b7b76b3e91db965cc97c72ece6af662998fcdf87138381de6cd666204ebb1b8907b17876f6a5812413

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
42KB

MD5
5d6ed4d10f7d480fb6d372b8bbe668b8

SHA1
420ca50ba425ccc28dcc7db7e31f3f8ee3559992

SHA256
f5519681adea20c50d0f80cd6ef2d6e6067a7c007b1fc40f73774ea8fc1ab4c9

SHA512
57fd54780aeb27c3bbc486c648aebcdfd3580d5669c0a13ab7f33a5d8ad05a85d1abb563a3ed9764aa2a7b62e63a4d1dd00a9b152af3cfe81cea2944690d57aa

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
42KB

MD5
2979397089eb2834fc1eb0c133355d90

SHA1
f235f7338d75231db7fd0d17e1579ca2aaf63df8

SHA256
8db66f28c08f3d7df34c6858b35c0b611075f40245fa70651fbbaae48b73cf4a

SHA512
7abf179f7457503d09a8e963107b4a786ad22259faf0579433dc979f7871b234e5dc6d37bc74bcb1f8b120932bef420be1fd974f2db136aa643e5f028314ffc2

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
42KB

MD5
0c05408092f4344fe895dac9e28fe2dd

SHA1
27af60695c3d41cdedfe3c41bbd869a4e727dd31

SHA256
a2a9960da7cbeac62839b01a23650bfb56e49863717d43ec44c374b9382252fe

SHA512
e9139f632b68097ea0d51d9411fc7d6109e8db44e78f25bf567f028fc81772521279897103da0eaf18c9f3eaecc99a723d5ee18ccd7b2065d2980880b65ab910

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
42KB

MD5
bf9bfb7c806278114bf81c0307adf587

SHA1
0645cff71974787814ff630c24efb5a39d71910f

SHA256
404f9b31c417c5a6f69e2fd05439a44f7cb17c3dc2bdce3b2e4adf4c89992750

SHA512
1804d6e3528b7de8876e8f7138fb17e6eb125c9d70949dfae9fee0381b5b698d6181c76bae45e850cb67313ddf6b332beeb8d112a16b3804faddeb58796e7de9

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
42KB

MD5
2012a0197642be53dd2f8f82795a492e

SHA1
2c3cc44c9fe9c73f6060f756395af1f1c33a97b7

SHA256
6545c57a6595a9e36d100084f5a760323050c15e2e58b4778d0c9e04e639d4b4

SHA512
04bdfbbbf3231cec6c8cc675c093baf6a64110a4f9711ad534779f7e39261fbc82b647c2012e82e9d3b3164dc01061df14bd017c17e538e3aa89fb2f5caab1c7

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
42KB

MD5
2de28d9e2f6b23a976cea173da9976eb

SHA1
015bb23709cb4769ce3af86343df7f5e1135b18c

SHA256
3d8d1b4c899f1fe8b8c99f9a6302a1003bc8a026b1938f8fdd62b6f9f9a37902

SHA512
a9c22dd7452ad24696b8ef43f2c1981373443b1b658543f28392472166efe63df41354ec18886cfcc81b7ac0880abb7db20711d7bfc004ced942b70e6fc41416

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
42KB

MD5
db57c47ed041834f9a8444cf95f4b227

SHA1
747151fe8843076621e637360a2523a38734cf14

SHA256
9bf4b632d301aef47ac0bbceb006a27f7b3bb476ef59c7c4d81e4f7c93d1ba17

SHA512
825092f230ed65d65d71eaad6acb3c01cfb88f923896337e50021f2f618a3656c5f2b0eef452206e895ce603bd86565f083cdca859a7c131226b39ba1282c0d4

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
42KB

MD5
a5f41218673caa55b8ad58b0ef6305b0

SHA1
ff56b1ce5a1e60d3afd21de2c28d86f6bc436d6c

SHA256
a73a75925cba27563f353100459bb5f6bb91e596f73799932c86955102c704f0

SHA512
2fdddbf11c2b1d72b58185ec31269512c4fd891d8d2272bcacb9ac21a012360441260e40566691ac70dde5fe5eb75abc2f7be117bf487ab1d481a3ff5f21c373

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
42KB

MD5
005a25a59fdb3b2892a4c8a262216187

SHA1
4393102b99ad96ee96927af57e53673195eb52bf

SHA256
b89da6a90263b9f75c3dad4de5fedab3aa16b888b6332306a0bfdcbcbf3bbfbf

SHA512
a69af8c9d6a2ff12d586eeabc7bd2f8920368cb4cae705920a6a13fe41d2bb52ebc872a2e34e815b553872b8e48e20c9e1416d4298cbbddc2200d0a61b11abba

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
42KB

MD5
c32c12c308b646c8530fe889fa11a565

SHA1
e1adad54a92e79abff66bd19c4512be9cdb3d3d6

SHA256
5a75a27c06f3d154e3a8a7e31dbe80a9ed64d5bd8c280b966fc37d272394c2aa

SHA512
4e29ef3b3c2ecf8989ce5f0da7f694695ffb1ed6a905497b457c582f4e941a05fc29a12babadc8f05a60937cd761cd2f295449b845f62f16c1740d9a91ddb42c

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
42KB

MD5
525fcfcc08c7fa5096cf579c639c4250

SHA1
a7f6d09c23f1e2ed55571673cb4ef0a24636ebef

SHA256
06b8da1e338938e5880a52da3f9fcbac5fdff351cd61231c6113ff6246c9c353

SHA512
851b03a2ec87155d00a6ad5fa5539b972f0080a03bbf351739657a8910c88bf878fad2f88ef305264a3fa05964a8d20c97b5c5edb92ee649686aade217bc81c4

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
42KB

MD5
60bcc2e427217b05d67b0fd77f46edae

SHA1
ce22e7339021569dd359f891836d76c9f0dd7ef5

SHA256
b6d3ae5ec6e282b7f4059a26b3065d7b1ea189fbb15f3999affcc45a3d00f73d

SHA512
75d234cd930a9f97c40e8db3f6f49bfb85e481259183e7ab24d1f593861bfa6d5ce80a70f0bb447241f05744313bbe8c8e3e4c1bed01d3c302147bd909ba373e

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
42KB

MD5
6472d241550e73b184dd5894c5409c4a

SHA1
49b616608f14ad95500b06b0af171cdc8b69cf36

SHA256
fe251b29bb4e9c8cede2326892b8609645ae627f033213ef0864d2163a9672b7

SHA512
8177aefabbf584f0a8350fab01642681259265f0fc56fd35e8da1feee70721ba32c72d7ec192c5044f9e7045030ae1b932a2e6a1e9918ee8f2125fc174b6b39d

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
42KB

MD5
00c047b16f56c2deaa8dd4455c826ae6

SHA1
ad0ec6fe7470deed70aed2b2e0ee2b6c8005d1e0

SHA256
f3f51557d7302d948224bb36469c4be3c9eb948424b053466a21dc14f5a17c6d

SHA512
81d7737c2aa4b2fad80bc9cb53b48cec61ea9836628e9bf4ddf79c86319983f0beb6db084d34a25c8c07b3b4e1c5442a866f6419f5bd1151104e410204eb277e

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
42KB

MD5
d4fc194021cd5db03a237628f2995842

SHA1
e5966269bf2449542906fbafc38719c9eba33599

SHA256
0a5c911d8b4a64d32c34a0accdd3349502021cebd48c4ebe3f8e556f315c4307

SHA512
87911fd36adfafbcd4f93964c8282ab91333fda62a2b7bb218c379cf51d651916c0ecb2b4c3dc4c1c930f10769609905777d57ba45c32e9a50376e870584d468

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
42KB

MD5
604130532e94540f984c0a1133b1f5e9

SHA1
6b984a94d3bb506fb197fecbd86aeab8e3422e6a

SHA256
5d8eeeb29fe3f4976370ccb3d08d2cefac441afd0442591142be6a9f01287b0e

SHA512
3ad2399b31792b294feee14ac91e8b7613ed9c967cceb8a2ee2c8a2c6ad61662158fc679be2254db43bf13ae482215b583aecab9ecf26ada2abda37f38c461bb

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
42KB

MD5
004efbd1aea55e7dc1a8b7357b225bc5

SHA1
e2c37906d785b6439c92a20658d295ed74d7f707

SHA256
00e8e0cecb0b5ab88aa8f89fba7e25a04c1e2002e78b74ad6cb26575d814a094

SHA512
9746101b147306ee9f95651c557775c6689f6afb5888e6ac40218650875ecd1c606e6a411fbf5546186b42a45daa7ecbabe5192cfc030bbb17620e49f987a108

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
42KB

MD5
584fd89d93721262b0740d4b5a537b0b

SHA1
599fb9af874e7456b6aa1e93ee58dd1d25fecf29

SHA256
0242752db59ced545e9f98d24b0b605fcaea0a29a187970e3e80870e473adf37

SHA512
470d559415824186b9f0364ee0b9b21de243ec54d4907b1fe66a8de37dfd6b4698b96e189608480704bf8af62cd2d891b6089eade99c31069c4194d9bb912b6c

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
42KB

MD5
ce05558f48703c23235ebb2340a01d8d

SHA1
0133788ad374a12ccfb80478a2f93d530cfd7bef

SHA256
c5832970520e35b5a18a2f4ec40fb4d32363c0106ed88a1bfd85b34426baf135

SHA512
286f7668ddf7a4955a967b5fafecd463514fa3c25b22ff8320c20fa74044ec9405074192697b30ec6d9ca78692d2ed8c383f167964f4b0c52c45cb9b14a729cd

Download Submit
memory/68-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/684-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4152-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4356-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5544-1086-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6060-1131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads