d0534354aae5f9e56f98377f65acd890ed9bfade0ef6ea7ee7358936e9952f8e

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b2c526341491e224c1f4fb39e03ecc0_NeikiAnalytics.exe
Size

80KB
MD5

6b2c526341491e224c1f4fb39e03ecc0
SHA1

2610b70991ce069c992ecd2141e433d614b5ae35
SHA256

d0534354aae5f9e56f98377f65acd890ed9bfade0ef6ea7ee7358936e9952f8e
SHA512

08fe87db75067980cd6a56fa0b7dfd4aa8ec83a5bd1ed708a3b5190d136767f2c2f8c3c94fba6943058cb9cd13396cd6293660e886aef0b3a175ea3409aef07c
SSDEEP

1536:sJmbuDvRsf7lXugjj1jkJ2LjaIZTJ+7LhkiB0:ymbuDifp+ij3jaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe

Executes dropped EXE 64 IoCs

pid	Process
4492	Ehonfc32.exe
4836	Eqfeha32.exe
876	Fbgbpihg.exe
952	Fjnjqfij.exe
2840	Fqhbmqqg.exe
3252	Fcgoilpj.exe
2320	Ffekegon.exe
2688	Fjqgff32.exe
444	Fqkocpod.exe
4320	Ffggkgmk.exe
3604	Fmapha32.exe
424	Fopldmcl.exe
916	Ffjdqg32.exe
1764	Fihqmb32.exe
4588	Fcnejk32.exe
4032	Fjhmgeao.exe
4548	Fmficqpc.exe
4664	Fodeolof.exe
3232	Gbcakg32.exe
2416	Gqdbiofi.exe
5020	Gbenqg32.exe
2324	Giofnacd.exe
396	Goiojk32.exe
4568	Gjocgdkg.exe
4008	Gmmocpjk.exe
700	Gqikdn32.exe
2244	Gjapmdid.exe
980	Gpnhekgl.exe
4968	Gjclbc32.exe
4892	Hclakimb.exe
1532	Hihicplj.exe
3876	Hapaemll.exe
1064	Hjhfnccl.exe
5008	Hmfbjnbp.exe
388	Hpenfjad.exe
768	Hbckbepg.exe
528	Himcoo32.exe
3260	Hbeghene.exe
1888	Hippdo32.exe
3084	Hcedaheh.exe
4024	Hibljoco.exe
4452	Icgqggce.exe
640	Iffmccbi.exe
3052	Iidipnal.exe
552	Ipnalhii.exe
1044	Ibmmhdhm.exe
1528	Ijdeiaio.exe
1208	Iannfk32.exe
2476	Ibojncfj.exe
4864	Iiibkn32.exe
4832	Idofhfmm.exe
652	Ijhodq32.exe
2440	Iabgaklg.exe
2628	Jpgdbg32.exe
5032	Jbfpobpb.exe
4440	Jmkdlkph.exe
3032	Jpjqhgol.exe
2072	Jbhmdbnp.exe
3752	Jjpeepnb.exe
4672	Jmnaakne.exe
764	Jplmmfmi.exe
4616	Jbkjjblm.exe
2360	Jjbako32.exe
736	Jmpngk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5744	5604	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppheeep.dll"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kbdmpqcb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4492	1468	6b2c526341491e224c1f4fb39e03ecc0_NeikiAnalytics.exe	81
PID 1468 wrote to memory of 4492	1468	6b2c526341491e224c1f4fb39e03ecc0_NeikiAnalytics.exe	81
PID 1468 wrote to memory of 4492	1468	6b2c526341491e224c1f4fb39e03ecc0_NeikiAnalytics.exe	81
PID 4492 wrote to memory of 4836	4492	Ehonfc32.exe	82
PID 4492 wrote to memory of 4836	4492	Ehonfc32.exe	82
PID 4492 wrote to memory of 4836	4492	Ehonfc32.exe	82
PID 4836 wrote to memory of 876	4836	Eqfeha32.exe	83
PID 4836 wrote to memory of 876	4836	Eqfeha32.exe	83
PID 4836 wrote to memory of 876	4836	Eqfeha32.exe	83
PID 876 wrote to memory of 952	876	Fbgbpihg.exe	84
PID 876 wrote to memory of 952	876	Fbgbpihg.exe	84
PID 876 wrote to memory of 952	876	Fbgbpihg.exe	84
PID 952 wrote to memory of 2840	952	Fjnjqfij.exe	85
PID 952 wrote to memory of 2840	952	Fjnjqfij.exe	85
PID 952 wrote to memory of 2840	952	Fjnjqfij.exe	85
PID 2840 wrote to memory of 3252	2840	Fqhbmqqg.exe	86
PID 2840 wrote to memory of 3252	2840	Fqhbmqqg.exe	86
PID 2840 wrote to memory of 3252	2840	Fqhbmqqg.exe	86
PID 3252 wrote to memory of 2320	3252	Fcgoilpj.exe	87
PID 3252 wrote to memory of 2320	3252	Fcgoilpj.exe	87
PID 3252 wrote to memory of 2320	3252	Fcgoilpj.exe	87
PID 2320 wrote to memory of 2688	2320	Ffekegon.exe	88
PID 2320 wrote to memory of 2688	2320	Ffekegon.exe	88
PID 2320 wrote to memory of 2688	2320	Ffekegon.exe	88
PID 2688 wrote to memory of 444	2688	Fjqgff32.exe	89
PID 2688 wrote to memory of 444	2688	Fjqgff32.exe	89
PID 2688 wrote to memory of 444	2688	Fjqgff32.exe	89
PID 444 wrote to memory of 4320	444	Fqkocpod.exe	90
PID 444 wrote to memory of 4320	444	Fqkocpod.exe	90
PID 444 wrote to memory of 4320	444	Fqkocpod.exe	90
PID 4320 wrote to memory of 3604	4320	Ffggkgmk.exe	92
PID 4320 wrote to memory of 3604	4320	Ffggkgmk.exe	92
PID 4320 wrote to memory of 3604	4320	Ffggkgmk.exe	92
PID 3604 wrote to memory of 424	3604	Fmapha32.exe	93
PID 3604 wrote to memory of 424	3604	Fmapha32.exe	93
PID 3604 wrote to memory of 424	3604	Fmapha32.exe	93
PID 424 wrote to memory of 916	424	Fopldmcl.exe	94
PID 424 wrote to memory of 916	424	Fopldmcl.exe	94
PID 424 wrote to memory of 916	424	Fopldmcl.exe	94
PID 916 wrote to memory of 1764	916	Ffjdqg32.exe	95
PID 916 wrote to memory of 1764	916	Ffjdqg32.exe	95
PID 916 wrote to memory of 1764	916	Ffjdqg32.exe	95
PID 1764 wrote to memory of 4588	1764	Fihqmb32.exe	96
PID 1764 wrote to memory of 4588	1764	Fihqmb32.exe	96
PID 1764 wrote to memory of 4588	1764	Fihqmb32.exe	96
PID 4588 wrote to memory of 4032	4588	Fcnejk32.exe	98
PID 4588 wrote to memory of 4032	4588	Fcnejk32.exe	98
PID 4588 wrote to memory of 4032	4588	Fcnejk32.exe	98
PID 4032 wrote to memory of 4548	4032	Fjhmgeao.exe	99
PID 4032 wrote to memory of 4548	4032	Fjhmgeao.exe	99
PID 4032 wrote to memory of 4548	4032	Fjhmgeao.exe	99
PID 4548 wrote to memory of 4664	4548	Fmficqpc.exe	100
PID 4548 wrote to memory of 4664	4548	Fmficqpc.exe	100
PID 4548 wrote to memory of 4664	4548	Fmficqpc.exe	100
PID 4664 wrote to memory of 3232	4664	Fodeolof.exe	101
PID 4664 wrote to memory of 3232	4664	Fodeolof.exe	101
PID 4664 wrote to memory of 3232	4664	Fodeolof.exe	101
PID 3232 wrote to memory of 2416	3232	Gbcakg32.exe	102
PID 3232 wrote to memory of 2416	3232	Gbcakg32.exe	102
PID 3232 wrote to memory of 2416	3232	Gbcakg32.exe	102
PID 2416 wrote to memory of 5020	2416	Gqdbiofi.exe	103
PID 2416 wrote to memory of 5020	2416	Gqdbiofi.exe	103
PID 2416 wrote to memory of 5020	2416	Gqdbiofi.exe	103
PID 5020 wrote to memory of 2324	5020	Gbenqg32.exe	105

C:\Users\Admin\AppData\Local\Temp\6b2c526341491e224c1f4fb39e03ecc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b2c526341491e224c1f4fb39e03ecc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\Ehonfc32.exe
  C:\Windows\system32\Ehonfc32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\Eqfeha32.exe
    C:\Windows\system32\Eqfeha32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\Fbgbpihg.exe
      C:\Windows\system32\Fbgbpihg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        23⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        30⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        31⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        34⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        35⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        38⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        39⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        42⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        45⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        47⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        48⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        55⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        56⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        60⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        66⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        69⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        77⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        78⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        79⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        82⤵
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3936
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:212
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        88⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2392
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        91⤵
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1300
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        93⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:864
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        103⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        107⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        109⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        111⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        113⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        115⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        119⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        120⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        124⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        125⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        126⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        127⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        129⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 220
        130⤵
        Program crash
        
        PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604
1⤵
PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
80KB

MD5
d7717ab694e27072f927a83142cc921b

SHA1
dbea83364f6687d328d00b1d25bbd04c47b22655

SHA256
e81d54d6f24330cbfb54815d22dda961cb8d80348d55af8e9ad1280e02681db1

SHA512
d2eb452fdb5348ad8c609b7c8ab795843a0c09ed4f058d130dd14f25c91a0f68a62a3a57c412cc84d111df4c6e2e49133791b7a1acf4c4112e19d6efb60b9a17

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
80KB

MD5
451be1c3af2de0e107a4767e550270d8

SHA1
9815082468ece451791da155b39fd8bbb8b1bd11

SHA256
cf7f44abb415674befa78a3ac85f5bbf0ce0558cdc47a934cd4b80b378adf6fc

SHA512
c52e64dff31ca439c32e7d8e53f65f007533c8b9a8bc9d4e81e2fe1622637cb9eff555f2948f67d481faca520114f088712317c66c8c1837719e00e09f3dfb6b

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
80KB

MD5
057b1ecd279d3ae9a8351bf3d95a1dce

SHA1
6c54573cb23746ed4149a61fe0e645f7d77fec17

SHA256
0047f310207387332ccc3d1ee6262cad943308df9cac745cdc499d7c48478d80

SHA512
a1e13750560acbe5da40c059b49c8a7b842e6133f1812debeaabf224f081933fc2807039a8cea58106a5c82a7160bf4f8877aa75820165f84e8eced48abfe130

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
80KB

MD5
6c1dc24bc49b81341be652eaa0f9dfcd

SHA1
4194cd5fff2dcf8f8c52f92543d4eb1fbb80e738

SHA256
dd7d5b1221e877bdbe97acd961484dac9f12cbe222f6a17bab2b33556ed08116

SHA512
9d99439c2973506048c1c41e80078eabdb0504430fa098b4d9920bd37471753487672049ce31f7f7d5f7a8f148565636ab32ab179d6066dd5570a8c5b18dae0c

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
80KB

MD5
d83a94cca9f29b05cd8a2c1b9f326651

SHA1
19f9078b983a9d93f74afb9d29da519b7fa291af

SHA256
bce699e6052581cdb3c17cd9e4d3874190463afa4ff0e5066dc48e5da5b23628

SHA512
5475bc439f1094320743f50335e8b186d4d5f5c6e4d0b0e399a46d8a3a388ee122689c44f198742cb0a99e1f41ffe9feb722bd18602a5b1891f6229ebfb3e4cd

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
80KB

MD5
e8ab3b72337b672317fc18e841309aa8

SHA1
97d5213c360fa12c74781e70c3a77d3166cd8072

SHA256
d2295e3042d62552d433841adcfc002eda22de3e0015da4c7af430093ff32a60

SHA512
aa322c51fa2bbb6c3304851999b3f2803e46cd5af74d27339eea45370faaa40007dd44d12f89ad11f82fe89b49a20c8c1f4165aeafda7e55f354e7cb8690e66a

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
80KB

MD5
f5993415214efe6314b591cbf490d6b8

SHA1
c2608bdfba21bc670261f8d79a3a71ec230efa48

SHA256
df67ab61c73c4f37aff53a13d5d6698f7ecd7c0da82a6e65de41bf163ee3bbe3

SHA512
eebce1c548c201c9ab043611a4941326a12878253a9f4a555af7c0dea008978cce8b66b69e5d108c8ed9c145e49378d208eac14f87ee758c0658ba691625cfb2

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
80KB

MD5
639c78aaa9d11d134dcbc8cd9ca69157

SHA1
73669dba6957b1c12b80883b06a1ababc90ce091

SHA256
9dd4803488b358e88beb5320cc63d38e8fd7401ac3d092fb10cd85500f535d19

SHA512
8df665f48780804d2d8ebd284ac84e891ee0857df15e3346da225559496287369522e221130282db20b4603ee313d73fb890c62f65c93684732fc18813e27515

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
80KB

MD5
6fb5f838eeb826e7232525878aa91d2c

SHA1
03ff4fc1c5e0d9689923bb5d1b7f21f1ca3b8e56

SHA256
fd5745edc5d113638b3dd188a69221325686dad9e3c0e3b73db3398519acca35

SHA512
be9bf144286f21b5afc7c4472b23e36f8879ff200ef8b2f7320780359153225cadc4c42c444bb15ec51014b236a4e435d443f5a358b4acb07f05e7adcc914dcf

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
80KB

MD5
9ee2b5f80a9ef805fbe4a82df7cd22b7

SHA1
583729589a57e28306fedcb3ae711af23ea404b2

SHA256
561294d53bfa3f26cb7d40fb0b7b0c00faac396c47450dce1fb42a5e5ea16f32

SHA512
f1e19f4f629f689b2290173245fb7646a60e4f3436b5967478a76905e9cba7e97b427507036ad713b0da473d30a0233f46f981487996b9499ef59cd76d3637e4

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
80KB

MD5
67fa5425a34c4b0ecd9256ab02c91135

SHA1
071aa58f1e6043ba04a7d59c8fc8f3b07396887b

SHA256
66c28c2086405f983fe8053e302163f731880774a333896d725d70d3efbaa239

SHA512
98241fd09e071ee9c0f34c764feb3c48d601a487d50782ea52f32bdf0bcb29a1da2b255154ea8d6ef9c1430f1ea6903144ecdc9c7c8a2fc5b00a15360a0862ce

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
80KB

MD5
c700bcd3f7ded7a401568ba70fa103f3

SHA1
616d9faca7423def3ccbc52e7099379199905df9

SHA256
6290519205016f14062efa2bd619f292d747c6559a792c1c0d8e59b880047a66

SHA512
0665cd2f1dfc4d064f2fed1b4aea95e9a1c4acee0810afce39546bbe5410e8c9b10a6c2bb3453514f58afa451c0ca5f11cbb52567bcb05333971568dd29b7972

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
80KB

MD5
7ae417a07b9e359423fa2e74b46f4b3b

SHA1
ada0b96cb65133fa7ef9fb0cc7dbde3ddd85f4b2

SHA256
f96a6746e0cd7729b7fbc7782be20d394b0cb005df8f47f7d3eda9a0ba277abb

SHA512
f4140324f00efd96d5a7834d699dc027b12e20d5f75de3b2cd3b3ae301c6f09bea6e232935f3f4f6e211498d39ffc484139e8e3c74d238d2571c83175804d748

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
80KB

MD5
582ddd8012e895893a7246c8368bf971

SHA1
a814b49e2f5ad0a934ec16aeaa56f6adec08987b

SHA256
b7e9cde9ffab9056c51039f1cf37effa8e82d19b9010edf5f7eef68ae7413028

SHA512
8f791237f1670c846cf685bceab8fa0da496c3ef4b95680d693fa1d6a7c8931421a13b178fee30055e2f6adebc1810348062b24bced112d78c3345ab009c66cc

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
80KB

MD5
f8bdfabb4fea2a21ac5c7a90cf648c93

SHA1
1bfb8049c43bea96dbf96490d761a2acc92a2cae

SHA256
aae7bd68765bee79624146b86dadff588c75804f379f30c0f0dcc306ffe5640c

SHA512
de22c6e453686cf2f3761c8ea6a2d00d2d65c4a4cf9a3248f276f7f172bff6eeff9b36314265ddb3af73324fe16259b6245f83e1f337a4e37f28e8fd5900ce52

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
80KB

MD5
92ae95b564d41dd1eefe9da2b928141c

SHA1
7d4f0401ce20a1443c2f7b7c2f11dae4ab822477

SHA256
931906d2b8c3e20d0f823f02a937e0ba15483d47ed40c94700ab12f0bfbdb17c

SHA512
003e5ec6d69d689e1e44658dd319c83115f04c3d6d10d310bfcaa8059c589ca1bcdf3e07f20c3c90deb7626fa14ae91d757375c7c1f0ece02f0d87450bf770d1

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
80KB

MD5
dff1713b7c7888b5e4cecf4a3fc487ff

SHA1
85a6dda26944362069b332db1c1190b795820d15

SHA256
680e8c60adb3b994cd6fc5718c7d180ad4d2c52844fa5ec1d54946205ccac5c9

SHA512
370b66270da79f2279fb1123f3484acf01473e588c256d7590b2bf594ce04fcba29a7046f8f2cf1ed934f3f6c23b6e0fc62b2479431b76164f01b06f2eaf0a7d

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
80KB

MD5
0b42768ad9feeabcb5f2cc46c2fc18a0

SHA1
f6e6c71361171818c4234bf76d7d3d6913877e80

SHA256
a07f38ee2a2d584bc6265545702d4659f00b6fe1e85cffd752273d9dc7cb556c

SHA512
6bc41ab587014fdb0a52e1c20b8edd76b61cfafefe95f033efd800ae13c44703b602f5d2ce95def4bbcabbd1e88226023eda090ba387f53a4a5c0a5c51e62515

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
80KB

MD5
d815eeb5cfd5b5442ad205da013e5ffd

SHA1
5087c589b93b201b1e2023d868abfbeeaf06e9d3

SHA256
300a3543243c46f84ea8f9ed645b5d7fc32e34729dcf14586d323fde9faa4ef5

SHA512
0fcb8c0630639295ffae87a7e50059d0c718d98e0412b87bea2b898b77460c9cc970f29dd689603a4fb5b5e89ec6f4abe16529fb1854b49883bc08858b17f98b

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
80KB

MD5
7227c130d587b947eb0a6254de855de8

SHA1
fba48ccc4c84b8e074c0621bf03318cda10789fc

SHA256
7bf287e7538b2861155096efd261902df1330a6155be7211973c66151a6f605b

SHA512
93d7f0d0d089229a43cb03d916b97573dc6f6aae3fe5658d175ccf1e341912e3e7c39bd253719cd510e9cdee679566cc6fe34907d28b496746f8bf24c2ad8f0b

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
80KB

MD5
98ef41279948924af60bff30da85a42d

SHA1
b17a5d66c3f8884daa98557bec2862f75891baab

SHA256
9bf7489d0fa2326b567531a435fa904b313410d72c760f233792866d3a75e696

SHA512
41f10970f7d5cc52e559bb7623c2fc0b84337d71978dbcd0b0cfd88ce1531324faf6b44c1f55ecea568ba2b54a4a3fe4f46ea9c70f78b83b5f218f0662c732a6

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
80KB

MD5
4218672e1baecf0aa62ccbd52d14bd1a

SHA1
cfc12720858a6c366526f8c9293c472e8ae55957

SHA256
ae5f77b8a861c98fb6953ccbc69fda165c1f6db0ac4aa5a42f225a62afa2c6d1

SHA512
e47a42ae4b2ca69616bd8d7cd2f0d1eded5af42489a532e9ed9674a5ab57b082dd0fa7637b5406c271a96e0e7ea107e057fc3a0c555b796f77d96045d7f0eb48

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
80KB

MD5
db4f17c90a1e2a81d50f31a9637c1b41

SHA1
cb6058af489396309ce20042be438117a3fa729b

SHA256
67873b3fca80802c108fa1cacabaa04abc7b0702944196d8ca78244aa2e949a1

SHA512
58c2bacf43d9587cbcfd78cd925c5a090883e845a54a36903cb48851bcc32727dee1be417769a2d1ef1847f7e5556aa316fdeb9d233276ab1d8c6bd66efa141a

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
80KB

MD5
a6321085d0809ec7c3a60d6a6e090281

SHA1
91e51abfb7a3669228574b93d9967ddec00cc9ac

SHA256
3340a9f852130d3baaaab45c57153af070f26f6133d9e35524ccb74c12aa67bb

SHA512
76cfefd06595b433aad1047099067fb7cfd841e51bd1415b4a4e427145683d779027aa80f1c73b19b3bf0f0240a1955a3f2dda1bfb2981ee19e51b31510ab21d

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
80KB

MD5
225a9296e8065674370197d8e72eb920

SHA1
f1def039384ade54ee4d844d44f108e950686614

SHA256
e8259768411992ced6d8554e664586defa588ab5f8f0c7c541b76c2054f48ea8

SHA512
1b8d28623ac7b490c2e3a68de727cc5bb1dbc6ef42d3457eb73c1409a6e2e7b9f04e859a693dac2b202f27fe251c677ff0cce8d0ea8c19c7e9ac41f4a667342c

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
80KB

MD5
d7d2ca53a01baac9783b70741cba2190

SHA1
e8de90f03c23e15782cc55adc49d0aec729dd2dd

SHA256
d8036e7ca494bda1ab18913aa8871233309270f4d9f85bd5053439e726606db3

SHA512
3ca6b1255533cc45e461d5ad26a2d86f792c534083ec697804a1782005a399141242bdaa423a85eca77e945b9ee823bf79ebf8384a5441928d4d954882a79913

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
80KB

MD5
dd4c55c68bf0ea63b8ce9a4e9c98e99e

SHA1
5ec962329ea66cd46a6d7a30ce827cf3cc0eae68

SHA256
b41c7c5cf7bdc0e529b0bbccfc9dd9ee172a304bad78eb959ac5ecf893585a4d

SHA512
875666682e08291d7c561a467ef88a797b8bc40c02bf9f4ca1cc1b53c37030dde0f9fb8a61558617a1669e93d08e8b08e8f1174daefeebbdea66deb69d330dc4

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
80KB

MD5
a05f3a7ccf2eadd94048583811a64982

SHA1
4c94ba69d63dd5e2bd53156f8bf1bfafc538593e

SHA256
be1fba5184a2a8fc434e608e3d685030c981d501abc772abee06ad402d579ac3

SHA512
554a04813dff074517197c6c9ccc1a9b0c0810d010f7dabff291410b7f30670f4fad39243965dcd2be49c41b47a68f065ec9325c7d1d57acf9d229e219ba5a57

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
80KB

MD5
a56745c1dcf3a230993cd53197ef31a9

SHA1
cbec1b2d28e7dd4b11feed02a7b7d02ff2700b72

SHA256
d56092f1abaf2bcf754706f547f650f3374881edc279ac30773c403dec03d075

SHA512
29df386b9237e722faf0dcd10f301231311bb1582f30530f9fa526202fe66f0d27726b32450a598c566d4b270d2d4d9c848af37bccdcf7f4e8ebb49505655e51

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
80KB

MD5
bb3529c1b4a9a827dfc01047e6a59a31

SHA1
3e24e0ae53dd60c91a2c8ac2ed7b4378c9c1cade

SHA256
e9f3ccf7f09183226594a7212d13743e67b356a75cad6822e7ed64af00c4be0d

SHA512
f66fbab87addd584162de90ce276ad221c551b4f780d26cccd2d31d116e4d5e56b3cc595bf4b1440f8f8fb451236503e15aa6fb4e1ac8ce58cda593491d1448b

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
80KB

MD5
8b30e73ff594a14239e083074ee9e639

SHA1
fb68a8afad4efc8f94392d731b593a8a2a5c84b7

SHA256
db3a04275ab7120b39e76d52f0e966f862693f7de6a1dc9f0422e2efabe8cb59

SHA512
26c2e7e83a52c7ee04302754f5988f86efb9c0678e42cc34fb55f9ebc89e362311162b13f8e7d9a2b73a2cbc511a6e7c01f80496be32bca4e663c4c8c8de4f17

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
80KB

MD5
d9aaaf51c868edcc1a20887a388bcb3f

SHA1
3f3040e2fd5e7552c07676f20db19a538bc07e14

SHA256
91a84bb1e9697b82992b1f02bfb73381e92c53373b05decf43e559ecd331a304

SHA512
95d8c2c13ba5cf8030a083467391eb51339e880e4785c4ce5120e5162da1f05b73b56d8f5bb2f3db05a1662a6297147fbbb989cdfbf3076d5f13c66e6f1e010b

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
80KB

MD5
98c46db6417e044bbbef4d779b9ec5c0

SHA1
2131b7cbed2d98dab5bbd1bd3657fa7cfadb769f

SHA256
d1e4300d7654af1858dea1501a87e03d266fa8ed3f0114e848a617c6eee79501

SHA512
8a2444c1beb3728897ca8a285cd0468cdb45289d16a9f843ef824de4f4ca55ed14ffc2e5030326ed542f7e9c66522092615c231990b75944f24942601b1b387f

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
80KB

MD5
675767d389f334053351f8935c22d1ae

SHA1
e460f4c9c7440c0b5bc21e3a1ff6e56d17890ea5

SHA256
d0a0a51afb43c4a698da86bf8709611ba4d3dd3aa434c7ebb75a544d9a62ebd6

SHA512
9c4cd699901729a34264ae5950c48b72256d933eaa316e3f9359e25d2c9e77e85fef24fa9c422cce96619432bd711e341a0f5b36dda3c378578f700832ba6707

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
80KB

MD5
deac10b0c19e72512f0dd5dfd8cb6398

SHA1
00d3da96e83597f0f4990f56351317220b5a3ef7

SHA256
700d779ed2a30c84c77572d09c1d132d4bf812c09c194e664a51ca307e79e8bc

SHA512
1879ae9ed0ffcd8145f73965feee64f0ab8d57fd337fe99a64cd8b85f43d27ade638a8ae1f0e5bd00afcdd61b9fb5d809171861f60a983aa13f01d246da76168

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
80KB

MD5
7526ff9cba118e2edade0bef5d8381bd

SHA1
f865f26a7f1fb7901b18af4f7b026056246da7b4

SHA256
abeb1fc597ee1903370f4c311c83929320f71c555366dbe28e85861bb82422df

SHA512
2d284f4ec6ebb02c09a989e0107d39047cc5e82c2d877c77d01f4cf852eac88deb98011e430a2e44d42bd70ac439cfa5cf7c26eb13d4c7dfda2266998952e809

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
80KB

MD5
6e8533ff2246f17b59a2f944d55e54f0

SHA1
1f0f7b7317c2df55e1b4ba9d543338581d700fcf

SHA256
960768a18d291bf9fcdadd01310a7169813d504c6e777cb8ee545881f77bdd64

SHA512
4796b435c1e5c905bfe3b1eda11121700c48ce3f28b98aa5838a0cfddb3102af1b5cc201ab31124378ff9162a5fed8c0ba8caad0cc2f4b4b2d70387e483d5b75

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
80KB

MD5
200ef72d2310a9c83987b901b8fb6811

SHA1
5c2a4702b3d1ff3805b26bf1bb85ad9f397e1caa

SHA256
e25b866e1cbb8a514930d88024c9049f6c7764d676c3c6a977310f561ca456a7

SHA512
24782c25d9b86829762a5848f10f29fcd1c6d6ddae138c435515c76c735b2ce093af77ea03ce18b769f07b039b674d3164a103cf960f4bcede0ab2ce7b280f83

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
80KB

MD5
a47c2aec3555c757f5872669cdb9e794

SHA1
cd166279c4499295ca97e80a35f5eaf8d78a150f

SHA256
3adb6c1a8ac8f2a3b7eced0b516c9116b33dada27a7129bc7110ffb5755df8cb

SHA512
45cad326606ecaedffeb2e8d22ba074207eaca7bab24e04795d814a8cddd6417c698d84f6944fa87b9a665a878a9b9a923efe04f07f24bff0042767be3c31a7c

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
80KB

MD5
b94681ba7671c3892d3fd684de70f65c

SHA1
c14b6675cc9d91583891846a0229153c2077b06e

SHA256
48a2c7231468a82e75b41c5cc8085d1a91666125bd70adad9949f4b9f5c086d9

SHA512
c5c81519d919ea68b25da2547e602f335ed5ba081017574c3191fbcadf3fe3f525851e7262309743bd287578a59981ad5c548846667f695aca30d35f2c2b55ab

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
80KB

MD5
afbcd2793a39471d124d589161680793

SHA1
cb52b7a10eb7ab7979a471457c4d838155c0f888

SHA256
e46a1d027d026697420381c3d4ae28d32a676772213027daf629fb0f46148a91

SHA512
0cbcc3b01dcd4e04fba1c5a91d4c7613b6a6e5cad77fdefafebd5cb50f5aa6ba6ef18a5ded7e99f5ab3f7b172bc781e5ebfebe34f7ddff89785200383d8a514f

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
80KB

MD5
b88ed0782176dc7b921c80a3b33e1b54

SHA1
13ba9503f3e491502c679b980782f767fb73422d

SHA256
71abdcdd275406bfcaa55ea9ac4dc30ffc1f8dd7c787055ee0b05d36cba7e377

SHA512
8469c22d262a21ebdcacdac74f2b9196f4b8e08ae0a7da4296b4c633c29ad2c3ca428835500cdd9bc9720b785926450bada240caaf8b7863afcd4c88986c0f3d

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
80KB

MD5
e8ba211e846012080c38d1ccee671b34

SHA1
07daa3b29fe2e62fec88fa8f70316f78221d5596

SHA256
cbfa58816460bb45a11479781320cf9e495dc59a7753021271223afe9dfd2074

SHA512
5b9e47a158240f6dd1b6800257d1443f9fed1da4f00c6a26560d65f57f11c833ec4b86aa8312fba5f4f9e846ba909af2e0e5c42ed327ced025f146254e895dfa

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
80KB

MD5
76423772712fc8e3fc4e072263f48b72

SHA1
72ed9a609f9c55314d4eb324383df995dc8107ca

SHA256
0834c0a54e520d68d195940c196b0c4be74cbae53b98a9fdeed04801275ee234

SHA512
21490af0762897b8e61b8a96fa4c25b79aafe37f35dd77403041e0045f819c70a6979333b4394f495a7cb62f53056d7ee948605322d1f77ea879f98b9cb9369f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
80KB

MD5
924c1864fe28ec6533e6e4fc14034610

SHA1
6104ee26a604b90396bcf2683007033c6695a14b

SHA256
81ab26c9f631ac30ad62b5c9960b072e95b81c2d4a47b3d54729b2eb3cbc7b4f

SHA512
7b1959f8f57ea91bbea3f57bfc336761228588206e1d7a5803ef5bb5768a48fd12f4d79e81b6e44cd5575cf8fb04ea5e0b4548eaccfebed3cf0fdcdd4c5f3b09

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
85047f1c360cf9925bf3b3df39a3f5cc

SHA1
a7eadffdc007c8542ae833906ed78c549f0d4785

SHA256
cd0422e9261d09088f25335bd8250fc1e7cbab3ef37d0554893bf15285cb7fc7

SHA512
7bafbea949423d9a51045fe66a74b185d01b8e03f3c2362e7128b535bab67d96ef838bd557201d0c05d4247201d0a28869ad19c071ec33ebcd4befb2960997c7

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
e4b2b6fc19f5ab2d5ef611eda405320d

SHA1
a78cbf63da4bf33a2fc8a8f389e861dafed1283e

SHA256
5b3f45bc61751af6d2f19e68497cbfbfeffdbb08520dd53188c54b0547b1b846

SHA512
4a1f5c35ed5d271aa633c0506020a84f38b022d04f9d6309251224b42359232a48aea52183fec40a3ce8803261eb0ecc337b42a1a8ca580799ca29b6bcf47245

Download Submit
memory/388-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/388-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/396-194-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/396-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/424-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/424-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/444-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/444-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/528-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/528-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/652-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/700-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/700-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/768-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/768-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/980-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/980-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1044-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1208-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1468-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1468-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1468-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1888-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1888-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2416-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2416-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3232-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3232-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3252-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4492-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads