45043a669fbe3336ec75d4a7e5c8ea6887f1dc708f4dca41a6affc7d6268df59

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e6ab58993b1f6e55a95bcc49ddadf0_NeikiAnalytics.exe
Size

128KB
MD5

77e6ab58993b1f6e55a95bcc49ddadf0
SHA1

7c60bb96979996eb21e2efe6f36e240c70550e6c
SHA256

45043a669fbe3336ec75d4a7e5c8ea6887f1dc708f4dca41a6affc7d6268df59
SHA512

8eebde44dcd8f50d9baec9191d3432e8e74e50f4224a86d8bcb8d8f41662decb0bd12ee6d477af189edc272b66b8231dc22e3f8f55488b1dea598c5922b4d65c
SSDEEP

3072:XrJya8ErHFntQsG62/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:tyDErJ6s54BhHmNEcYj9nhV8NCU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe

Executes dropped EXE 64 IoCs

pid	Process
4008	Ehonfc32.exe
1288	Eqfeha32.exe
4724	Ecdbdl32.exe
768	Fbgbpihg.exe
2756	Fhajlc32.exe
3512	Fqhbmqqg.exe
3128	Fbioei32.exe
2064	Fjqgff32.exe
556	Fmocba32.exe
676	Fomonm32.exe
4728	Fbllkh32.exe
4596	Fifdgblo.exe
4304	Fqmlhpla.exe
2768	Fbnhphbp.exe
4376	Ffjdqg32.exe
1048	Fmclmabe.exe
1072	Fobiilai.exe
4588	Fbqefhpm.exe
4888	Fjhmgeao.exe
1452	Fqaeco32.exe
3232	Gcpapkgp.exe
4664	Gfnnlffc.exe
1544	Gmhfhp32.exe
4812	Gogbdl32.exe
1880	Gbenqg32.exe
2460	Giofnacd.exe
388	Goiojk32.exe
3760	Gbjhlfhb.exe
3840	Gmoliohh.exe
4672	Gfhqbe32.exe
4328	Gmaioo32.exe
4860	Gppekj32.exe
4060	Hjfihc32.exe
4488	Hapaemll.exe
4252	Hcnnaikp.exe
748	Hikfip32.exe
740	Hpenfjad.exe
1284	Hfofbd32.exe
928	Hmioonpn.exe
4836	Hfachc32.exe
1128	Hmklen32.exe
4176	Hfcpncdk.exe
4048	Hibljoco.exe
4068	Haidklda.exe
2732	Ipldfi32.exe
3752	Ibjqcd32.exe
4568	Ijaida32.exe
3076	Impepm32.exe
4720	Ipnalhii.exe
116	Ifhiib32.exe
4484	Iiffen32.exe
4612	Iannfk32.exe
3592	Icljbg32.exe
5028	Ifjfnb32.exe
3472	Ijfboafl.exe
4576	Ipckgh32.exe
3680	Ibagcc32.exe
4336	Iikopmkd.exe
432	Iabgaklg.exe
3756	Idacmfkj.exe
3796	Ifopiajn.exe
2980	Ijkljp32.exe
540	Imihfl32.exe
5008	Jpgdbg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Llebfo32.dll	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6296	6204	WerFault.exe	248

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4008	4204	77e6ab58993b1f6e55a95bcc49ddadf0_NeikiAnalytics.exe	83
PID 4204 wrote to memory of 4008	4204	77e6ab58993b1f6e55a95bcc49ddadf0_NeikiAnalytics.exe	83
PID 4204 wrote to memory of 4008	4204	77e6ab58993b1f6e55a95bcc49ddadf0_NeikiAnalytics.exe	83
PID 4008 wrote to memory of 1288	4008	Ehonfc32.exe	84
PID 4008 wrote to memory of 1288	4008	Ehonfc32.exe	84
PID 4008 wrote to memory of 1288	4008	Ehonfc32.exe	84
PID 1288 wrote to memory of 4724	1288	Eqfeha32.exe	85
PID 1288 wrote to memory of 4724	1288	Eqfeha32.exe	85
PID 1288 wrote to memory of 4724	1288	Eqfeha32.exe	85
PID 4724 wrote to memory of 768	4724	Ecdbdl32.exe	86
PID 4724 wrote to memory of 768	4724	Ecdbdl32.exe	86
PID 4724 wrote to memory of 768	4724	Ecdbdl32.exe	86
PID 768 wrote to memory of 2756	768	Fbgbpihg.exe	87
PID 768 wrote to memory of 2756	768	Fbgbpihg.exe	87
PID 768 wrote to memory of 2756	768	Fbgbpihg.exe	87
PID 2756 wrote to memory of 3512	2756	Fhajlc32.exe	88
PID 2756 wrote to memory of 3512	2756	Fhajlc32.exe	88
PID 2756 wrote to memory of 3512	2756	Fhajlc32.exe	88
PID 3512 wrote to memory of 3128	3512	Fqhbmqqg.exe	89
PID 3512 wrote to memory of 3128	3512	Fqhbmqqg.exe	89
PID 3512 wrote to memory of 3128	3512	Fqhbmqqg.exe	89
PID 3128 wrote to memory of 2064	3128	Fbioei32.exe	90
PID 3128 wrote to memory of 2064	3128	Fbioei32.exe	90
PID 3128 wrote to memory of 2064	3128	Fbioei32.exe	90
PID 2064 wrote to memory of 556	2064	Fjqgff32.exe	91
PID 2064 wrote to memory of 556	2064	Fjqgff32.exe	91
PID 2064 wrote to memory of 556	2064	Fjqgff32.exe	91
PID 556 wrote to memory of 676	556	Fmocba32.exe	92
PID 556 wrote to memory of 676	556	Fmocba32.exe	92
PID 556 wrote to memory of 676	556	Fmocba32.exe	92
PID 676 wrote to memory of 4728	676	Fomonm32.exe	94
PID 676 wrote to memory of 4728	676	Fomonm32.exe	94
PID 676 wrote to memory of 4728	676	Fomonm32.exe	94
PID 4728 wrote to memory of 4596	4728	Fbllkh32.exe	95
PID 4728 wrote to memory of 4596	4728	Fbllkh32.exe	95
PID 4728 wrote to memory of 4596	4728	Fbllkh32.exe	95
PID 4596 wrote to memory of 4304	4596	Fifdgblo.exe	96
PID 4596 wrote to memory of 4304	4596	Fifdgblo.exe	96
PID 4596 wrote to memory of 4304	4596	Fifdgblo.exe	96
PID 4304 wrote to memory of 2768	4304	Fqmlhpla.exe	97
PID 4304 wrote to memory of 2768	4304	Fqmlhpla.exe	97
PID 4304 wrote to memory of 2768	4304	Fqmlhpla.exe	97
PID 2768 wrote to memory of 4376	2768	Fbnhphbp.exe	99
PID 2768 wrote to memory of 4376	2768	Fbnhphbp.exe	99
PID 2768 wrote to memory of 4376	2768	Fbnhphbp.exe	99
PID 4376 wrote to memory of 1048	4376	Ffjdqg32.exe	100
PID 4376 wrote to memory of 1048	4376	Ffjdqg32.exe	100
PID 4376 wrote to memory of 1048	4376	Ffjdqg32.exe	100
PID 1048 wrote to memory of 1072	1048	Fmclmabe.exe	101
PID 1048 wrote to memory of 1072	1048	Fmclmabe.exe	101
PID 1048 wrote to memory of 1072	1048	Fmclmabe.exe	101
PID 1072 wrote to memory of 4588	1072	Fobiilai.exe	102
PID 1072 wrote to memory of 4588	1072	Fobiilai.exe	102
PID 1072 wrote to memory of 4588	1072	Fobiilai.exe	102
PID 4588 wrote to memory of 4888	4588	Fbqefhpm.exe	104
PID 4588 wrote to memory of 4888	4588	Fbqefhpm.exe	104
PID 4588 wrote to memory of 4888	4588	Fbqefhpm.exe	104
PID 4888 wrote to memory of 1452	4888	Fjhmgeao.exe	105
PID 4888 wrote to memory of 1452	4888	Fjhmgeao.exe	105
PID 4888 wrote to memory of 1452	4888	Fjhmgeao.exe	105
PID 1452 wrote to memory of 3232	1452	Fqaeco32.exe	106
PID 1452 wrote to memory of 3232	1452	Fqaeco32.exe	106
PID 1452 wrote to memory of 3232	1452	Fqaeco32.exe	106
PID 3232 wrote to memory of 4664	3232	Gcpapkgp.exe	107

C:\Users\Admin\AppData\Local\Temp\77e6ab58993b1f6e55a95bcc49ddadf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77e6ab58993b1f6e55a95bcc49ddadf0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\SysWOW64\Ehonfc32.exe
  C:\Windows\system32\Ehonfc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\Eqfeha32.exe
    C:\Windows\system32\Eqfeha32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\Ecdbdl32.exe
      C:\Windows\system32\Ecdbdl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        24⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        25⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        30⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        33⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        40⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        41⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        42⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        43⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        44⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        50⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        57⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        61⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        62⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        66⤵
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        69⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        70⤵
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        71⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        72⤵
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        73⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2676
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        75⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        76⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        78⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        79⤵
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        80⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        82⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        85⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        87⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        88⤵
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4572
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        90⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        92⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        93⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        94⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        95⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        96⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        97⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        98⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        99⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        100⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        101⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        102⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        106⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        107⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        108⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        111⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        112⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        113⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        114⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        117⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        119⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        121⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        122⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        124⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        125⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        129⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        130⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        133⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        134⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        135⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        136⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        139⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        140⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        141⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        144⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        149⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        156⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        157⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        159⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        161⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        162⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 400
        163⤵
        Program crash
        
        PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6204 -ip 6204
1⤵
PID:6272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
128KB

MD5
7c5f5e665f337de1bf93b139c8fd5a00

SHA1
9b06898576df2bfe68d06172f031267c57b7d2b3

SHA256
6227aeb3e22baddf9e47b240a29e2c081e766803eedc25f4419834a78f9e70ae

SHA512
8cb475e55a03a96f109e9f27940b976174b872a783dd76635a10a9b1704a7f65a971c44f1d8c23e61bc64897cd8d5022df9bb9aab972d87d6b4622c774baa11c

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
128KB

MD5
6b51e2f51554ed898fe3e498edf2ab6d

SHA1
6e35ecba7388e13bd7904509fd88dc28afa358ee

SHA256
ffa1a5a2c36b7b2b8faad052b85aa2a3bd9942f98276f5795c00b96c13d54fed

SHA512
ac029e31ad23fb59e81010ed88176cf5687be99d1b17ec9ba974ad8e7958b47e5f057f1701f9abe92a8d40c240dc6ad361bc93cb082dd05941a8f59cda1fb187

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
128KB

MD5
13a8bf8d7db48005db531e829fdbdaaf

SHA1
b3684b5c732adf8f40cec158dc977f0bba361d7a

SHA256
67a09c0e2dab49453c7a44b51deae3b586047fe057b8fc1784139c9717439285

SHA512
4348dd8f59f974144913f2e6b4e4bbefd32cf87870572b84c9a5fa9bdae205ea4e21ed3f35d1c89fe4d0c739697aab6e67b25919ce72bd036c3f23cd6c1f03a8

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
128KB

MD5
d04af11a0e5ff4264831e90c6b8c9f89

SHA1
6d8d9c7e38dccf3b90427a1040a1629b8be62ce2

SHA256
284bb909ebbadcdf7ebeed14fa3feaf06bc65b062fd0fa5bc8bb6b0cb5a24192

SHA512
8f2fb97a38954939af7167d56c061850266f42dfefbf184baf7763bc4b8403b180067a0d2b13bc63de36cf34feb3ca7b88c2f47d8237b5eea9830146eeb37c6b

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
128KB

MD5
1f144851458fa38739a6cd2a9473129d

SHA1
fccdac6ba57625a82fd9e4a79c26468e568af346

SHA256
f7c28015988957ce36a52cd8b3d42723a69c137b8a5484cfdd00c8ae653aa731

SHA512
3cb4eabbddf2247cb179c1a1445d8dcc9b4ae88738732a2f90ee5dcb8212de385e192fc78a18c93f8700dddec6f33dcb1c915e18b536fc6982199e2247bc810a

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
128KB

MD5
6fd12ff29171c4e1f678f322f580adf1

SHA1
02ce533d98e28b29839a2b4eb3d91e3a856f0bcd

SHA256
9c5baa264d71d3fa32a67d42b1088a09f4590ccbadc32b79d233f77fd8f1c3b8

SHA512
8fb8e1ce8e5f3986bedce6c1ca31731499e34748068568d9ed0cda602069852d1963c37039e6b741c03ebde9700639d1f5f527d2f628bc4bd3e7dde4c20796aa

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
128KB

MD5
789f1fd47085666666f5850e8b1bb54f

SHA1
30a5fcd0f9940428c80f821324e90c4df756640f

SHA256
4ee9b973911b96b107d849b2bba9052f1795c11a01ee2610d9785c8dd4b9abd7

SHA512
d5e4a21de6cc8b5f3070bc14b62c12d36a81750a9cf27b31fcf60fc76235ae4947005e880fc5b43836f230f984aaabafbccccb1a521d4ec1bfc88469bd9b3bed

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
128KB

MD5
0b4ed77f32d39818b0e428dacb6d188c

SHA1
330cb202ecb902a40fe13510e6535c064338a861

SHA256
a18285629ff16952902d1650aa24de25f5c8e19df65ffe28396e3f3f05aad832

SHA512
33e4b92c0e708bae3df359fe13bd8d694509a6df88a8bd35f1a88c50f7b4133543b3629d1d82128b4f4fb9b5df9bf849dfac842dfbc788f137d841a4e08f1647

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
128KB

MD5
3c0ab5053c79c2b25197555bcce187bc

SHA1
0fda1e49daf34c5af3a58b969b6e3b0707e1b1cb

SHA256
dd04a397d26df514675f352fc988c9099a42ba228531b266e962bda285ecf739

SHA512
7a5b75358f3f6fc02d106583a756c4e318d33c5bad9c88e9105c97014ea439a55e86d6362770244aee1ff086e7499173c9478151576d1c153473ac0e402e4fc7

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
128KB

MD5
070a26cf0dcc6d4c06a8fad4900b7c6a

SHA1
2beb57989f7afa86d20c02b267d425db7a3410a9

SHA256
6aeaffd2b2170ddb1eedd14e626f3ce78cc37bfa498ee8546212c38ca1ea32e6

SHA512
d24ea4ffbef116c36053258a3d24b2630abbc656b8a65bd14484d4ff9e7c9772c041c43d553881b4a1d79b9dfebea26575a6a2ca8ac5122d1cb40795073554c9

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
128KB

MD5
5501c3b1ea439fda88b4096dc24e9b9f

SHA1
7a680b7a943e73e1d6acf9d08b40f3066e9fa65d

SHA256
902363b816586aa617eeac5f1b481155e1f82f9dc95449ea9b85d0ef172f085c

SHA512
469df75effc89a07d750588f3027d1f1f2eef877ec095f454b49e53c14a5e3aef90a4e60dbf577308aa3f7e82e88b355665bdda5681100b860c5f5f7f7fd6b80

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
128KB

MD5
a35598e519d4a03fb48e4102233a4435

SHA1
fce86e534bc458edda063f44469bb18ca8dc54a6

SHA256
a3b3dec42f5f30c295d4b3146329471ab8014d385aacae8f6384de1381c09e8d

SHA512
91ec0ca109fa89c022da3ba262e1a3f192c63875edd524cbc6190b307a83077b60ab809f478821465332ae27068b4539ff6fbc3d18e668da699ad59692e00016

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
128KB

MD5
3b5df0c24c07207ec95e87ad6e11da6d

SHA1
74f66a1c6c873d33993a3b7f46ad02c124b11c83

SHA256
40608852d85ffe2ffd2e9f9bcf6d41c19357736aed2ef08aa4633b713bf245e0

SHA512
353fc8bfeea0c1090ca69f4bb7a92963ff4eed5f515125d419d0708073084024800e4a5368bdd04f955cb2231b345f79526cb42a4a68605ae1efaa16ea27eff3

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
128KB

MD5
588d0127ca38f98d443b76d3d3437810

SHA1
c1e43e4808251bc9d949a7fbd6fd1527fbbcfb1b

SHA256
ad93a4bdc972cea680378882cca04f918777d656943d37beb6032b48e8de63ca

SHA512
5bd930b3ecfca06e23d0592ff7caba0a05d3f89356fdbe4b78c24db8938126477cac4709f9bfe78be5e9e54260cd1a2c2966ee03626a648a51b15b0e9ff4a555

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
128KB

MD5
ce19096eefc14fc5847d1cea44d85d3f

SHA1
1d1eada05f877ab3ecf4de5348ac8533d7cfdad3

SHA256
32f4afecbc0247f0189d29393e6a5c85cb83ab2ad5167d51c88044392c430b88

SHA512
68306e07f71be3edaaa17ea3a60caf4f4f675fca0441ed004a7c3502f57d8a49bd0745fd304cc3243d4e2a9a9a0d83e68b3a33d3d8f3fd9c5d6f95234940f598

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
128KB

MD5
80d8613cc7d1ea04c4f4dbeb0be1c51f

SHA1
fdbf461c67f4137590cadb6d967f46cbabe8b701

SHA256
f00b38f9d8caf8701f996421adce32b57e41011c8cbbafde69020b7ad1f035c2

SHA512
adaf7532db000271a8c7d1c033c37e408034ffa490a6e80ae69204ffa44a327d5fdce8ec8780201c1bdda0eafe093fe58bd3ce34520856ed8d3a466da4832c53

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
128KB

MD5
91ef598cf131588ddd2bcb8385c25435

SHA1
002d1e691ae2243d85cd27d7eaa189dae1e77e09

SHA256
080ff6e75032656c4a086abebd9309e44575ba05da5d7df62124b3e155b3e174

SHA512
9260ecf02fc6675ea1be92f5298b16cafe74d76a80e1353c1fe0957ccaf84d089ca1e1361ce899d366531ffdd06f02ec7ed855d749348600ea4606626884c3c4

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
128KB

MD5
1ffd737765c3200f647d6d99a10b2909

SHA1
cb15e6294c078f719a54cbb798251681ba55caa9

SHA256
7e8d298fa523d842b7f651d603e933aa7a0a1b2403501c30fb857745391ff0b6

SHA512
cbd19a23932faa94496e2059415be4517d87ae9b5bae5f7fb095bba6ddd1fce1af1e0dac9656f4b97e0ad56e3e0c6610d225e6e50fdbdd204e4d1d05b985a182

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
128KB

MD5
6bb04d499a3214f137e0d7e1150a1aa2

SHA1
ad4473ccf9c1f2d223a5b45e00715ba7cb46d6e4

SHA256
6d7e3a6441c7046ee9888248018113935b72539ecfb979f717916a123db6b67e

SHA512
1a8f7bdb870bae6ae3f3ab524b457607ae5b65b78e27911124721a256cc8824fd58fcad1c0b66d6b8dd6fd186906fbadba104c9c5f565e1921476fff80055435

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
128KB

MD5
4c6530427c5836f0911e2c404370e7d6

SHA1
124c478bcdc62edd0007cbea8bfcbba46b4aeb43

SHA256
fb5de0988dd1e8535754e793dcae5fff9c6cea063eb5181df08043d07de081ca

SHA512
4fcf9276a35367d17534b4c04cfc6163b7063a72f3cea7ef92229f47e4539b84cf10448139f513e273f41fe87e970c726e985adbef31549841c09e1002a6f9d5

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
128KB

MD5
1b0f419d269428a885896aef6939e818

SHA1
c702c75d9d492da907b2a4470a5f6ace912cefb1

SHA256
b30c32bf70297defe6c4c793eab85b8b5bb7dd2c4829161e8ea40343ccd040c9

SHA512
b58a8635faa0a0f27691ef3edf4b558aa409a5b2bf15ca1b46704678bb84a1e9e75bd811114cc407f3b43c0cb73630d1082fccad6ca92376cfa334d21d965112

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
128KB

MD5
c3548fabe257c0d004859ef4b7417551

SHA1
1fb393398fb913586d392e6876757a901d17c8fc

SHA256
313f6f21bf86af283296efab9ec07e6920a925832f1fc479340916d4a09bbb84

SHA512
623e5358c6bfe8be074b6fbc3b8a2b8c354d27a1711b1649f28b1d6b51e4191503664d3a46ac18692f44cc0da5abce92cdd3f214bfc4db96a53bf0215dffcc0e

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
128KB

MD5
1bbec2c25ef1184baaf52fcbbda6d782

SHA1
8b9b3f368d010eed3c55ad5a549164f36dbb4e6d

SHA256
890ed8aede24d546d8ef32713f445be2495d2e539fdbec1ab7c3341eb770faf8

SHA512
aaa29c462800023e002c1f19d54dfe16c30e6a6b360e59fa4830ba0dbc727f4da6075023bd2b3782b901371110ef623421d8275ed00f36a28a91482cca1d16e0

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
128KB

MD5
aaaafbb903981b8b4f25bb914b506707

SHA1
853e8baa1faeaa5d4f3c6494d3821ddfece91308

SHA256
84405ef9d9365a500156fe066ce495ecdfac5aa4a87bbea0db08bed3d3f6b0a7

SHA512
5e2d6c42725ac9cf3d1c10c7d5a8dc4b171ad3cd733857dfeaaa5b68bf1408dd1a035f9a5faeca8f18f48468e93f730cecea2156172ba3f46b6823c17d962cc8

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
128KB

MD5
aa2c6eb93e19549706fe5a769cdf1009

SHA1
aafc876c66f0392657ae50aefab9a8a4b46f1945

SHA256
2536e7d8c4753f1c2d7355c3e7b708d47597ddca56f2aa33e7bb15b338146c78

SHA512
a22a6f0969c7921af170ffeba6fd0bdd0b9d98f6ab7ada065c4a9fdb354a13c6043a3251a31e9886ae9d43edf3b07934c5f8fa74a16808cb496831032745a9c6

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
128KB

MD5
6b6d56418bb3eedb39bb7f94294c4941

SHA1
2f064f16982885ebf5f7674b705c5db9ffea15b9

SHA256
cf96b5dceb67b86fe4c963e65612f5a16632e94f776c930781aa00b8c29bf952

SHA512
19da99be24ec46f6f597de03d1dc86efe0b3b13fda66f3581f62cd7e1412faf12f89b28cd36e6f9d591e17ff2d502ba8dfe2c8c4ad85d1ce407ff9bba77f61a6

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
128KB

MD5
468f7e43880fe692f9c3157e8a33c325

SHA1
ae68a1c19de4e28c8bdf98d96e5d0f35c71653b3

SHA256
edbadadd3535bd07618405282849ab6e0daeb6e750fa048b2dc5131fcda352c7

SHA512
a13d20e2f4c2346cb6d805202986766b8cccf5cde101e34afc8abbb2a2c9def02c74422a83f69d3ff584dc542bc3d172b996a5374966cb0256171f3d2027e5ee

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
128KB

MD5
ead65207ff7dd87d3a510239b5de31b6

SHA1
97caeaaa58c8b2a3de31cc5bd7d5a13f49693798

SHA256
7ce43f854eb9f09bfdf1be5d96d8f82cf7bcb65f121af87585d4accde16224d7

SHA512
057863dde122db0329aaed4a45e43620421bc64a3904d825be6b032b6b144c0613e3e5bf47a699362145feb84c10f4bb79d5d600ac5ffa99f17f1968e079c444

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
128KB

MD5
ed6052c945a04354f433372deefd46ac

SHA1
78c882ca934343e70517446da6d9ee1f8d01bcb9

SHA256
d361731a6a02cf16f603784e92b73f13a1cea87ed09a7a6de7b223359ab11e42

SHA512
f65b65f87b2315638f80960750a622ea7528a4f708bb55b4131361caed9fc61056bae88e4e3d70689eeccaee1f507942e412eb7bcffaf4b82dea56dcd60ff711

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
128KB

MD5
16c73ba8519b0391b0ad954a51279099

SHA1
14ac7e0dea74c6c4729d79188b187d7739249c28

SHA256
7dc8b64ba2c29193c884c9b86731e5eb2675095f1097cfbbe8f82146b510e7c3

SHA512
b16c194fd9617c9838df40cbe14b57c6e4d00596dc439944fe9efe8c882667018f0934f6bd228b15a8d6dde0b513153c5456e8d61056fd7e6b56e08419364d3d

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
128KB

MD5
aaae2bee32b24615825d08c0d3a42fd2

SHA1
c76c781ec59ceb9467bf7b8504f3b5c09f800248

SHA256
b97cd0191e9a7ebac950e88b33462e6cd4b0be27083bae8ea89e8a239921c8d7

SHA512
5247b9ec80a244ee52689519ea2450f0a062d915139fd03baf233cdbd02f02bf437b51a0120202414705b7a82b2aff48ee0c328bd5eb8429e586699948490001

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
128KB

MD5
88f5f1d7bbff20af6f0cf46f69a2c244

SHA1
bb7ce5daa84933446f0d5ae91631ecd29bfdec8c

SHA256
e4b8a3df9fd06d6ffbeab49955f1dfeefb23733560b15f961e3d0493e8ec2500

SHA512
2a409f88f20d71025923a8c7765eb713aabdbe50ead5a3d055cdc87c0f7a427f515c99aa919ee7d8cee8aad1b07c060a69ad69c4dc9314f6450e1164000127f2

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
128KB

MD5
ee24c2a82aa3ff66c8b86dd1c992379b

SHA1
4b75d9f4a20f414f4b300dfa643cddf9fb8d512a

SHA256
29df63f53369286f01563cc211fed5f6ff62f2dc8224595115a7f1924b422f61

SHA512
7383eb6a5bd5c10ec31a0fc34e15eaa4b052ae50a9f5f12dee80ae641f14bc3f882236f77fc5a35258a2ad3aca26dfcf2d098a14547f56ab37790b360e2a1709

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
a5afc286de1db7f6dba1ec12639856ed

SHA1
1e2dfbc73adba1af7f5967ed4c1737a819370afc

SHA256
4fbca5699c0bc664bdcd4e9977fa4268b3ec2de12e780604b44698210f0a4593

SHA512
e13e9a010f90bd21133792e6990b06e8a880d03fb11241f15480f51f3a7a2015b346f16e1e1a23a8712347884262d10e328140d9b2d5d4225f648f0e1a678ba6

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
128KB

MD5
881d30cad917af6331d6e5c1b674543a

SHA1
fea98ae013206bb363689786c6e1c1aabb4c1618

SHA256
3e9b0848ab5602f40261a46349ecdbf15c48ba72ad0e9115fa983567ea7c53ff

SHA512
2543311b6cacadef0553372f60a0f780ffb088233d7c2a95ba97b7070762697d7d7f8c361d9307fe6e70911931226bfbf69aa586fa28dd0722118a7eabccf0e0

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
128KB

MD5
59cd261b5342c210e7630bc46adbd771

SHA1
9e532c1f141cf81cffabc4e48436ba9c9fac7340

SHA256
b5cba5c061c427e3d361d1b0aca358ee69d98a8725049737402b46dfc1ca4cbb

SHA512
e2abbd1c260f4b241435055775139946b80bdef46c8c9dac6f79dbdffd4f3b79fdf38a36431231fd406b178551d2f66d6f283b07486ceec9e60888103f23048d

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
128KB

MD5
89ffc4489e4223c7b7e7fba5c880729b

SHA1
3766eb92f4b527f326170151a2a1dea1a3f41230

SHA256
de7d39ba4c287bfde7e6c67f03ac695bd4817faa15ce2e893fa71d8366c0f7db

SHA512
b27f715c58cbefb1fb31d6cbc8827a0df148f80cfbf090ab3d1dc8cb5aec6fe3b3e5ff9f2e550a94350e600a919b6196790b15780d93c67ab69f86aa480651e2

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
128KB

MD5
c1a131a79d9d02c2c7554911225a0748

SHA1
43dfb8ebe0aaee1d2e81df0909c63cb4835ae446

SHA256
96b465c8b530073ac06e2e504a708e48d31135f83eed56abc7aa1cf726a10d1d

SHA512
3d40cb8e21c962746b84c37ed15aaa09c3569c36dd4e1a520164af6ddd6b9cca66a029ed47b81aa1b2a95d95f4e9f27700bef0109582224924f002603be7bff9

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
128KB

MD5
114bc419d97015baeef1b828b4d80289

SHA1
aca38aaa98b38a17a10eebaa0376a1c0157f7d87

SHA256
f22c7c166edb0bbe548e6cf5969171e27cc352d1b92e45be547e9d8b8b5afa0b

SHA512
f8581cd5c58e60cf71d9bac8f10a20033ef27ee904d34a2434604f470b2444b000624a55797f56108afaa9c5a2cb5ab09630dbec098e19d7188bb2bb45379719

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
128KB

MD5
dfd0c6bb256450e682e3b1c0bf841778

SHA1
337b3367bc8f87e26bbcbb34b38b009f0192af51

SHA256
491d17631f7b278d2a5c193c715d81edd5de0d3b21638d69ea9fd6d992b74125

SHA512
5a8ddf011f775620ee3a21b7345f6e5b3baaa86549b4a8aa7a2c18ea03df8688f02481f101a058157e24a786bcbaec9198ecbd2a9884b42d941e479c636835a5

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
128KB

MD5
16566250467f1297017b331a55ab9e51

SHA1
c90bfc84300d936a54a65ffdbae48f5a5236e86f

SHA256
3bc98be4180c5983f26ff778d2140abbbcc400f922f33c6d63866791c8a818a3

SHA512
6dd68e014d3bd3d3a732b18e3820bf7d533915074476e04fc56eb8309d47c500b77462cc03e6f76a5ebec1023f4cb9226ec4b3487f7fc80360b63f9adcc81c79

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
128KB

MD5
e6af94773a1a6a586ef7f71da0033ce7

SHA1
deb7b2a90e07343fb021aafcdfa39e7b9460e12e

SHA256
5c65daae07a31af48831ffd8b5e3a068fb509746c990afa3376ad5b86a3149b1

SHA512
a0dfaa5afaf8065fc13a245cb7e2e7a53c0412513f5e3743ba5587caeaac2702dc57dab8f5b99dc44bfa895ebea819834bb33df82cfbebc9f9bd848927dd650e

Download Submit
memory/116-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/388-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/432-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/676-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/740-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-576-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/928-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-493-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-487-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1216-590-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1452-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-516-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1616-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-599-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2644-578-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-505-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3184-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3512-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3512-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3592-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3680-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3756-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3760-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3796-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4176-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4204-543-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4336-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4376-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4636-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4664-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4672-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-537-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4812-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5012-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads