064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c_NeikiAnalytics.exe
Size

89KB
MD5

3bb7c0a948688e1aab4b9b634940dde0
SHA1

a58634a060c59bf69540f5f28a8d4f76d11ef5b4
SHA256

064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c
SHA512

d783b400fec90ded6e54de847eabad5530417e815e2315751c8213dc725148ee39dce6a9966b43e15ce79fb7a75d841e686b414b7b93436b697b414a13b31fb8
SSDEEP

1536:UNiTTUTm0TE5IgRxeItWMGcTilK8dikKl30KBdl4rFTUA1IGNN8GrttgcHRlExky:UK4qWMJ+K8gkK/epIG78Ytgcxlakgwk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe

Executes dropped EXE 64 IoCs

pid	Process
4936	Eqfeha32.exe
2312	Fbgbpihg.exe
396	Fjnjqfij.exe
1548	Fmmfmbhn.exe
5004	Fcgoilpj.exe
4904	Ffekegon.exe
2424	Ficgacna.exe
540	Fomonm32.exe
4836	Fbllkh32.exe
1356	Fifdgblo.exe
1648	Fqmlhpla.exe
1676	Fckhdk32.exe
3556	Ffjdqg32.exe
484	Fmclmabe.exe
4316	Fqohnp32.exe
3280	Fcnejk32.exe
2556	Fflaff32.exe
3660	Fmficqpc.exe
368	Fodeolof.exe
4832	Gjjjle32.exe
896	Gqdbiofi.exe
4612	Gbenqg32.exe
1416	Gjlfbd32.exe
4248	Gqfooodg.exe
4028	Gcekkjcj.exe
4628	Gbgkfg32.exe
3120	Gjocgdkg.exe
4580	Gmmocpjk.exe
3532	Gpklpkio.exe
3420	Gfedle32.exe
4352	Gidphq32.exe
1460	Gmoliohh.exe
3032	Gpnhekgl.exe
1020	Gbldaffp.exe
4012	Gifmnpnl.exe
552	Gmaioo32.exe
556	Gppekj32.exe
2204	Hboagf32.exe
4728	Hjfihc32.exe
4476	Hapaemll.exe
5068	Hcnnaikp.exe
2820	Hbanme32.exe
4188	Hikfip32.exe
4996	Habnjm32.exe
4828	Hcqjfh32.exe
4740	Hfofbd32.exe
1944	Hccglh32.exe
2160	Hbeghene.exe
2096	Hcedaheh.exe
4868	Ipldfi32.exe
3152	Ibjqcd32.exe
5084	Ipnalhii.exe
3100	Ijdeiaio.exe
2540	Ibojncfj.exe
4676	Ifjfnb32.exe
4336	Iapjlk32.exe
1420	Idofhfmm.exe
732	Ifmcdblq.exe
4136	Imgkql32.exe
676	Idacmfkj.exe
4020	Imihfl32.exe
3804	Jbfpobpb.exe
4452	Jjmhppqd.exe
3172	Jmkdlkph.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Lbdcekmm.dll	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7036	6944	WerFault.exe	243

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hcedaheh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4936	3948	064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c_NeikiAnalytics.exe	82
PID 3948 wrote to memory of 4936	3948	064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c_NeikiAnalytics.exe	82
PID 3948 wrote to memory of 4936	3948	064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c_NeikiAnalytics.exe	82
PID 4936 wrote to memory of 2312	4936	Eqfeha32.exe	83
PID 4936 wrote to memory of 2312	4936	Eqfeha32.exe	83
PID 4936 wrote to memory of 2312	4936	Eqfeha32.exe	83
PID 2312 wrote to memory of 396	2312	Fbgbpihg.exe	84
PID 2312 wrote to memory of 396	2312	Fbgbpihg.exe	84
PID 2312 wrote to memory of 396	2312	Fbgbpihg.exe	84
PID 396 wrote to memory of 1548	396	Fjnjqfij.exe	85
PID 396 wrote to memory of 1548	396	Fjnjqfij.exe	85
PID 396 wrote to memory of 1548	396	Fjnjqfij.exe	85
PID 1548 wrote to memory of 5004	1548	Fmmfmbhn.exe	86
PID 1548 wrote to memory of 5004	1548	Fmmfmbhn.exe	86
PID 1548 wrote to memory of 5004	1548	Fmmfmbhn.exe	86
PID 5004 wrote to memory of 4904	5004	Fcgoilpj.exe	87
PID 5004 wrote to memory of 4904	5004	Fcgoilpj.exe	87
PID 5004 wrote to memory of 4904	5004	Fcgoilpj.exe	87
PID 4904 wrote to memory of 2424	4904	Ffekegon.exe	88
PID 4904 wrote to memory of 2424	4904	Ffekegon.exe	88
PID 4904 wrote to memory of 2424	4904	Ffekegon.exe	88
PID 2424 wrote to memory of 540	2424	Ficgacna.exe	89
PID 2424 wrote to memory of 540	2424	Ficgacna.exe	89
PID 2424 wrote to memory of 540	2424	Ficgacna.exe	89
PID 540 wrote to memory of 4836	540	Fomonm32.exe	90
PID 540 wrote to memory of 4836	540	Fomonm32.exe	90
PID 540 wrote to memory of 4836	540	Fomonm32.exe	90
PID 4836 wrote to memory of 1356	4836	Fbllkh32.exe	91
PID 4836 wrote to memory of 1356	4836	Fbllkh32.exe	91
PID 4836 wrote to memory of 1356	4836	Fbllkh32.exe	91
PID 1356 wrote to memory of 1648	1356	Fifdgblo.exe	92
PID 1356 wrote to memory of 1648	1356	Fifdgblo.exe	92
PID 1356 wrote to memory of 1648	1356	Fifdgblo.exe	92
PID 1648 wrote to memory of 1676	1648	Fqmlhpla.exe	93
PID 1648 wrote to memory of 1676	1648	Fqmlhpla.exe	93
PID 1648 wrote to memory of 1676	1648	Fqmlhpla.exe	93
PID 1676 wrote to memory of 3556	1676	Fckhdk32.exe	94
PID 1676 wrote to memory of 3556	1676	Fckhdk32.exe	94
PID 1676 wrote to memory of 3556	1676	Fckhdk32.exe	94
PID 3556 wrote to memory of 484	3556	Ffjdqg32.exe	95
PID 3556 wrote to memory of 484	3556	Ffjdqg32.exe	95
PID 3556 wrote to memory of 484	3556	Ffjdqg32.exe	95
PID 484 wrote to memory of 4316	484	Fmclmabe.exe	96
PID 484 wrote to memory of 4316	484	Fmclmabe.exe	96
PID 484 wrote to memory of 4316	484	Fmclmabe.exe	96
PID 4316 wrote to memory of 3280	4316	Fqohnp32.exe	98
PID 4316 wrote to memory of 3280	4316	Fqohnp32.exe	98
PID 4316 wrote to memory of 3280	4316	Fqohnp32.exe	98
PID 3280 wrote to memory of 2556	3280	Fcnejk32.exe	99
PID 3280 wrote to memory of 2556	3280	Fcnejk32.exe	99
PID 3280 wrote to memory of 2556	3280	Fcnejk32.exe	99
PID 2556 wrote to memory of 3660	2556	Fflaff32.exe	100
PID 2556 wrote to memory of 3660	2556	Fflaff32.exe	100
PID 2556 wrote to memory of 3660	2556	Fflaff32.exe	100
PID 3660 wrote to memory of 368	3660	Fmficqpc.exe	101
PID 3660 wrote to memory of 368	3660	Fmficqpc.exe	101
PID 3660 wrote to memory of 368	3660	Fmficqpc.exe	101
PID 368 wrote to memory of 4832	368	Fodeolof.exe	103
PID 368 wrote to memory of 4832	368	Fodeolof.exe	103
PID 368 wrote to memory of 4832	368	Fodeolof.exe	103
PID 4832 wrote to memory of 896	4832	Gjjjle32.exe	104
PID 4832 wrote to memory of 896	4832	Gjjjle32.exe	104
PID 4832 wrote to memory of 896	4832	Gjjjle32.exe	104
PID 896 wrote to memory of 4612	896	Gqdbiofi.exe	105

C:\Users\Admin\AppData\Local\Temp\064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\064ed9da920bf0aace3de0f74e7fa525f96b430e5be1b718bf81c2cf3746172c_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\Eqfeha32.exe
  C:\Windows\system32\Eqfeha32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\Fbgbpihg.exe
    C:\Windows\system32\Fbgbpihg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Fjnjqfij.exe
      C:\Windows\system32\Fjnjqfij.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        24⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        31⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        33⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        34⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        35⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        38⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        39⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        45⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        47⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        57⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        59⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        66⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        68⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        69⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3920
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        71⤵
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        72⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        74⤵
        
        PID:652
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        77⤵
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        80⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        85⤵
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        86⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        87⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        93⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        94⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        97⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        100⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        101⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        102⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        104⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        105⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        106⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        107⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        114⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        115⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        116⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        118⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        119⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        120⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        121⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        123⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        127⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        130⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        131⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        134⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        140⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        141⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        142⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        145⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        146⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        148⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        150⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        151⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        152⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        153⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        155⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 232
        156⤵
        Program crash
        
        PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6944 -ip 6944
1⤵
PID:7012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dofqcl32.dll

Filesize
7KB

MD5
61018b1d050859b240d59a351c9881b8

SHA1
87ef9ba5b0df89540dccf0d8057a71e1b00063cc

SHA256
0b7d4cbb117ebf26f3c12b9551bd0684ac31a8dcf7dfe16f2174d090f3893d6d

SHA512
e772b9e11a943dfd469d0add8ddc60856b0858b9001af514fd38951a1bca0a738dc60a34c33bbc0cc000040709021eab6dcbe480293730abfbd15c413a411193

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
89KB

MD5
aa1c83ec1dcc5744c87f9b3147ff203b

SHA1
092c1624c29f9337353e9ae263527021c0bbddf0

SHA256
242f63aef40d233be983999b794b345eec59765b2e28dbf68b2ae263185672cd

SHA512
4fce07e50602f2b9da016138217dae63454f833442316fdce275c85139999e3da81f97a33d0001c39ea107f4a99762b26da770dcae98dcb156bb419e781b4929

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
89KB

MD5
ec2e576fe58dc505f62b3bfd35759b36

SHA1
142ea159cca08da54dab8b18b942a01ddd1d8512

SHA256
f3d8a0056ddca67d83c116c63f5cfbc38ab56d16b1a0b5168a5467515ff414cf

SHA512
bb96f02ee6399ba596162fbc4859606b68bf9cbcdcfef43361f75915f55f0cca64097e4b92003e55c14cc71c6902276c97d952ad894b22611ae4c3ed0083e84a

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
89KB

MD5
493c471ea569857042c3e479d5754324

SHA1
3a0e37e5a89b54fbaab981bf7445ef65ad26601e

SHA256
2d944cd9135be8859b3a27a4d3be5db47e5b81b1c908fafe5f67765917a42fec

SHA512
03c99e9b0d5e80746164678db2157e9d7dffd2b56db5e2604049afa061656041423ca41aa5661105789c2554de52ddbc6efb736d892ef6f5478a2e2a7d889e16

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
89KB

MD5
52925a00cdacba965d46a4ebebc9c94d

SHA1
dd94482545f7d6e86ce37c53be2875545c4f8b89

SHA256
c900f9c36f64fab3779f2df2a8e9a9e3aa3d6ae95aad18b2cbb41c0875a97c28

SHA512
3b87645d733e05001bb5de783cc285426ee748842b7cced43a14e81bedbd6c9425bba20fa109cb7985894b8b1e62972bbc46987b2e19058609f75aeceec13e1c

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
89KB

MD5
077130350032959dbe4d481b235eacea

SHA1
3d5a378531dc7de140936dba17fee40a0ec44ce1

SHA256
181463d50b64cfb4e96612040a6a50dfa0aaa16255a2697a62ec3911b8ff34b4

SHA512
11629cf2839a8ae0f6ce9a638593be6c2e074ffa0890b830ae7e8931d06f54295959e4a4f3934650198eb1c3e9cf9f4caf9aac5723a769124412872721e3dfab

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
89KB

MD5
dd956a67cae476ea31f4770306d14051

SHA1
b04c43c5788f2b4e07f9f4d1bcce4f3b938f622c

SHA256
8a071cccc5a8072cfbc76c94120d5e7a5968e85454f997c831e79a4049b2c013

SHA512
4e87212cc5c6ac262a3de3ca9be0a3234fe6e96d4c908db49ee61722f56bd9136c1e95c14fa7a66c850fb079d6d20bae582ca80a6201ace2792f8d7594801b6f

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
89KB

MD5
2d591631c035e7af4d2f4897e8dd9933

SHA1
de7bd74521ab24d07adc14f2e07045f3174f3007

SHA256
f02976f0488042d3d4cfd31cd294bcdb53db57320f7f99c034c8840916f285b0

SHA512
63b549f53c7dbb65f48a1f8e05fa8d316fed84db8ba137f0d206e70395293f0735c68c4842fa289b55d24765ada93cf0d8c520bee3d6701acbaa3ae79186cebb

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
89KB

MD5
c14e1e9d34a86123ca0212eeb5f73891

SHA1
7f5a448eb731381ef4699dcc5f6d13f23c3b8536

SHA256
bc321b10501c13dcd62eb79b318859612dd95f5507c000606e4a32a1c824da2d

SHA512
9d82208b9ca5ac98c7dc512fb01ac500eeb52b67a7995f3bdcd89dc4c0439dd6bd437b577ab9ff8b86a02cbbd26a90fa5c0591c4e4104bd12d5c8b8e6669e050

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
89KB

MD5
019f5551b00c45d677e2ab41d34d6d1a

SHA1
536e734b6b8e56cbcae7d584487c8584a50b1407

SHA256
25139553c40ec930c5961acf1db0667e86d007e7dc088cc21bb80ac0fa979e42

SHA512
f8d762b6387de0fa93779a06c56db661de1f3666dae384e9340ec920e062bca2fe653d66a9f3c15efeae31864e8dc788d3864cece6242fcabf5fa10aad556711

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
89KB

MD5
0458d271d7b0c8cf93f804f0452487ec

SHA1
0c933b9b4b2985dd66398fb520960f1ed46ad5bd

SHA256
cf0feb2e5e7979b22ad42d8ac30861ccf69cc43e15825c56ef60aebb34f27830

SHA512
78537979149cb6f70314045ff7bde9c02b4176e8416bed82ed4662ee72fc2e27214cc364e5f9a786f2717d69b64e9fdd3db30227aeb23776a679f0da1d910e40

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
89KB

MD5
ce6e2d83febc9811cfaaa4093bec8024

SHA1
3f1672f1d52b995c72d5c3a24fdd5306ab7bf9f4

SHA256
b13c517a9c5bc8a0e38038a9034a656d22f2a8ffa1c2b3d9b29a8c6038880fb4

SHA512
b7675c7c85e36c250e0ec01c29aa1db000cd675f866931672ebe1a1f496108cf24573af06206b62ff7a7dc6871e4ee928eda006247b5ba772dae5a2ba1f6ca73

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
89KB

MD5
9435de1e29375abc63e948ab380b74c3

SHA1
66108096b1240d45f7e462fa7f2608f6c315e0e4

SHA256
11f7a990cc8e253d50a34b3de0c4a4c932d286e5f3c99d8c5ca96d9b8ce54817

SHA512
8cabee7c3029ab93be245ba1a668b3c6e21913797211050ebd6519878c9162fee9b5d612ffe1a743e32166e4494db763310ae53271b1c80dc5a4e4107485719b

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
89KB

MD5
ddf0335355ef0ed594978eb94cf8c8d0

SHA1
c839a756e6ffaf49782efac0822b22a64f8e6ed1

SHA256
88be57c4a3a14d2ce4696cecd4a8953bb22c7963da41aeabf301ae9103dd5802

SHA512
1af52d3881bb00d98843440a0822ecc516a85da317390af14758625db77e3cbfea4e5189b5bd4fa78ef9702ae3982aa2fbb2de2d921c91f330c5574b879013ab

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
89KB

MD5
d0dd7865e32c12ba7e446d1ade4ef4fd

SHA1
09c985d247dd639a7dd9b92cd84de6be6d7e62a1

SHA256
ac8ef2ea6548a3f8040abf4c32ae0b5a2f94f31b87835b3a2fd0b08e92ce7dfc

SHA512
67dd695953b96023a374810c9619c60e24e376afdf9a325713018528b90ee99379d8ca7b7dbc29ca0123aad2f85ae3c12f828c84b0f5581f18321a4780d15bd1

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
89KB

MD5
ca29c9e92d03545201bbfe7e424c42fa

SHA1
639711e60373d4d735b5e3ff5b0056e4016f81f8

SHA256
c9d1e758b4dfe9d1a400b597f9acdbdb1650545bce03ba5b81277924e61d0909

SHA512
ae8de7740c507e16d9f9fbf46ec95ae2baf1d99575793c2151367a4e47a253d6c6a0ded3c6e06233b1975904fdee482f8282b9a1ed5ea04f4c1391ff76d849ce

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
89KB

MD5
6cbf9ebe7395b3e6d055c8a78e5684b8

SHA1
29df39f9f6d75fb7f5185af3e4a30a496ba854a0

SHA256
2ebb6bca8368c0851fb6ba72db5d8d395fa862b0071cc4d215a460996cc81e44

SHA512
1b14d1a27127ac36ece9144970fc6b5786d0c577163ff58ee3bab0e04f4c526179765f3201194f608724f6e9c5187fea4a8481582d0e92a9fb768e938653d63f

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
89KB

MD5
36ff8a7d41159e5018ca95ee7f54c0ad

SHA1
c9ad0357111224def68a34c0175ee7ee734eba85

SHA256
f62ab8e400dfdc1cde42f799207034f044d62dbf42c6839e8cecbd68ca1180e0

SHA512
93ee7cce84d775be7e093f2f5217fe01c7017ba9625b250bac4b86e85833160902deea30fb872c82d360b5c687751c17178c9f30cb9abd44a042182d25161c86

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
89KB

MD5
7db8238008764a2e8b1d6c4358f91d8d

SHA1
7d097494487799b47a3185633d391f4f09d694ab

SHA256
bc0452e7fe15c5d46275999ddbe425b5300ce56cd8b2a316ab1235fa37399215

SHA512
da9e75138c6b0f37784eab261cdd1927565b51096737b53cd4a6cbeb3d57f3980365ce109179ce4fc35007b9d8a27255ac1648745ad62ee5fd9bca364b41a0b3

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
89KB

MD5
b64da42d7429588ef020afeacf2c807e

SHA1
b41cea53519be6ec80195bc61de733338d634246

SHA256
a35096962a86e2894f74a5cb3a9b7f1efe4fd3806ef28f2f6e6e3dcfffcb1cc3

SHA512
a942ef885aa9c7c508252d467a03e6548883cf284379672592882abb55badb7d19f418b1d512700a1ec72be469bafc22f8555f66c8dd8f5e95f3c8b6477ba723

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
89KB

MD5
a071c227641d483f8df2e790fdc0b756

SHA1
7045c2c0ca2ac209be667f6b3147dab8e68a0095

SHA256
5a68e5eb4490030043c4109ae271a64367a2872d5f35e0835b5368bcd0c1ec52

SHA512
6db76d0afd50add508ad841b1799429a31de100247b5aaffb9ee1b3bf50cd61dd5fd65febae1c2ab1b3517e5a1572c61bd4c55ca9376a9a28fa7d97cf55b2084

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
89KB

MD5
d3efab4552f68f0544fc55b776d8caaf

SHA1
7cba037385a4b36f96113448bbdb43cf18409c05

SHA256
c6003e0871d951de19014a62a42d2a2e898eed1b089665ae0604b4aed8461667

SHA512
c37f60600e1134c0fc7a0cc43e89a1ab15a45b68b75e680b24b2cdfebb91ba9e538a129151ed7e17765bc03abefead9ec9c572d85f6c80969dd4d9893e85050c

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
89KB

MD5
98c24bbf7a6b62bae2e6e38ac80f4dbd

SHA1
c978a6642f0ef495f36d529a416f46edda943d3a

SHA256
1bd73478d1b0ccd56a17eaef06edf68585a0e436a560e5f16aceadb8983a0b89

SHA512
5ff948d7fa89a10b6fad57aa77e774cbc198fe40561a71ab39af855f679b2c6fcb74cae5e84117c83c7fbc38d5809ed92cf309da8e88b5722471400f30b75e9d

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
89KB

MD5
53604fe55dc69c1ec0e6f92d379c0f14

SHA1
f36d35bb28d7a538d16c251afc376126d59e4198

SHA256
29dddbad5dfde826be56e915ded61647e08b5690e84518ff88e26914c1cfb105

SHA512
8f35e3b2291941aea0fad3652b69638630a762d6ef263e4e0074ecaa944fcf45b59b6da28fc2207f2d263f4f6e62ea0ae12320a2e4babb5618f4cb6ba130e637

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
89KB

MD5
d7bb0c4de79e5112babca92e841127a5

SHA1
45db8833a201b16bedda08f76aa5da66206c0fb2

SHA256
eda4af9f171653412c3f6833a94c5c6f62b7621a4a9c94d3f7b54766668cb072

SHA512
560f084799b22ab3d92a06eea42fbc43fd0086f56af1b6689b1293264299a60bf74ca3d9a026a46acc5987c7767d092e7a9e0c8d419c1f2bfcf3a8fc33749fbd

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
89KB

MD5
7c6ea4f0da2fd38a0216cb344407df02

SHA1
cf68093782d26c56abdd2b25f8eddf57eaf3c9e3

SHA256
1f57086a59de07db9829ae6a448b2674bebe9a62784a185c24e490675be8e333

SHA512
a1f08dc1f36e96f0fd45f5305d23538e4d9ce6829efa00bdecd8df37a6e5c925ca50cb0fc0d17307aba2b4cc08df8df22637d66244ac73241937ed9ff88567a3

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
89KB

MD5
be87808657892c98a21c1b71cb7075ad

SHA1
931579136638e35294850d3927dc214a7a26059a

SHA256
99915d7e401d9777b9eb2e3e9b07545ccbc7f3a4d5d0639d499dbf8ee87e99b0

SHA512
ceeef75f4c09181de248f592a397977f1829a40b3599fddb401bc3f485c4d79570c16b04385666d6ff85ae555fc8ac94c3ad3e53f1609bce411f6cfdd3e02d64

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
89KB

MD5
0002fe254140c8ffecd6a52b7537be2e

SHA1
812fea61067dec2d38d8ab66740f868730e8399a

SHA256
ece905df32ce695a6a00ee7b46102aaa53481bb70415e8bac18497521d4cc8a4

SHA512
d9d648e4d5092183946c25c94fbfd2aea0ef2b2b10404ef6987c45ec9fc92133a5c0c979b1663ea461b135319ff3a96ce1cf92485c40c74d00c3436ac46bd949

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
89KB

MD5
c3080819143c071ca3c8eba983684010

SHA1
3c548d1a6f8796fc005cee7ad444f3d7f200dcd3

SHA256
e8ea9b43906093acb12096b18d36fbc1a95ceb8dc8b8e52aab9c19e609dd3092

SHA512
10c2fe480a4a6b4876dba946b4e76f8504a018af042c48beec403cc916074eba849fa5a30ef6cd68f17eaf992612d00d143b55d3569b23d2c462e4916da05bd8

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
89KB

MD5
315f581551f2d9c331b1314169c7f639

SHA1
a04f32bbeaf3aff81b205d45c86439ee4d3aeb70

SHA256
488b50baf4a7269d27fecdefb011f64a0d2154768e5deda728951bc5d3355e8e

SHA512
5175862a8ff57a3eefb896e8df3117866d3186b900dfa5fdcde1b94da56290ee1a6675d5c3d1e4af2aea179d56cc7038a716120cf4f36d47b5b870c0c9aa830f

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
89KB

MD5
e4fa953ed87b43f0cb97dfd95ff809e6

SHA1
acb739d747cd30663454bbcfd2307d128de22ef8

SHA256
011576acb0a2a887ea2eae1e668e78ce6c03c205fad81e0e405309056e9627c5

SHA512
4d27366db717de33d73be6d233515e1c39d4973ee77e5955234d1897f79dccad755582c51a3b93517f3ff530283265ee3e7b78b5ffb2a36fedc13a2984d17f98

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
89KB

MD5
b2a075a6dd097ad090e732a9b68ccd75

SHA1
cb41eb409db9d2d8240a0d09394bf4234f91f8f4

SHA256
804e9c82751901f2dbea3ca7a83418d5111197240d585694e560234b96d1be05

SHA512
e7b857a67b6390e642a0477fa0af98aa9891989123d948f156101c23b4f342b64559a78adc32c251d8404c2227796c64e71642da61f8aa262989e3ab63e86a03

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
89KB

MD5
4e7738edfc3a5645a3d3ebac087ff869

SHA1
8690a37286ba64cf89ed88260dc1da59c59b25b5

SHA256
5036715644f5954c7cb2086643990919bc8208c3772b0c44eb9c68ff991de02a

SHA512
d34044671b75a0d43ed18a720df8f37ed5af498e09ac2cd87335b0d982139f350406c7a30fdf418999d1227dabf1edffec5e4ff680c2c4b8cb629a7ffd592768

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
89KB

MD5
dbbad87457083122abcd4a72993db465

SHA1
753ff550cf360ab5c158e0ec873b019508ef7dce

SHA256
800969fbbe3868b18cbd0149b20b6a62ded3c4c17753e8eace3928f14292adef

SHA512
600334692b3425061d6c404a3b452987919e52c4f34da32b58be66e83db7c27cdefafd3749f1e31a78f5ede6c0df7c0e2974a81d85323e199dfad4062990bda2

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
89KB

MD5
c07031a2aa94e98140cbbff21d447e8f

SHA1
5a4220a34852a0692410ee7a54d3f256c06391a5

SHA256
db4f655d816f15f41b46deaa9dbe04e49eb33534524e14ccd40af736348880db

SHA512
18ddcdd239d99faf6c80b7b5647d700c426178f41af011c6351fa0e457fd6ffd1f01a34ba2c6c1900207c51680efa7f3ecaf8b730fea6b3f813ec396c96af4a8

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
89KB

MD5
78aaf847576a4f59aaeab00edee57fee

SHA1
5ecd3a679f087dc13b7698f725726f4a806e6349

SHA256
3d4005bf4c716682d97c39e185c81f1ad0c1214b4786dd0d07e470058e41e32e

SHA512
d6f1efbbf0be0fa87986ab10b6809506c907b47e59973018440d128cb33a858499d52510a75d1d53e3dfbccb5f2b4ffaa41fe52902e7a33ebf0daa35cfb0825f

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
89KB

MD5
572d42979084068cad12b40f86d808d2

SHA1
426a45bba33d0a11214af72838aa3cec8ee8ac4c

SHA256
af39c4af63c5b13f25d944bbacbb25939375cedc0de89605afe1c224f03b5e5d

SHA512
1dd5e344e996d0b6baf4e235c062e07fb06bfe2446180ff6fa7eb9eb71b8af1bbea0ac02c3484b98abc3fd8ca4aa4ba9ac3b20c25c43609d666b0c9c8319f272

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
89KB

MD5
331a55a59ea0ab0653fda2bbde1eae5f

SHA1
d151609ebba80f11b70579565e4dcf40daa123ee

SHA256
e64098d17022310c91442e4eaa0f9e00fcfb7d9b7558ea4d0b2c149e5f4002a2

SHA512
8e23190f23d45dd4ac0c6a59eb180d7163b4eafd7a74c2a6f9229b5544a5b13473dddd5c6f4e39a47f24fbc975a3037042e09eb36a27f70785dd9ee72b8f10d1

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
89KB

MD5
0cb2958e7e2dd2ea42d8cb8452dab0fb

SHA1
e2bf4a4a3d18df24fbf541b908f2d378f3d6771b

SHA256
b4dcbfc20c407130fb1439f998c2ed58a07aac6e3ca2cb721ed7db93957dd9bc

SHA512
6cc0c45e44640d1991f83a120ad4e517d0e15740f0c1892cabce9471c0ccbe77240ffed0bdd0b3bfa2a3552944f44cd4ad3e603fd6fac338ed1445cccdebe091

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
89KB

MD5
03de1e675f6b0ee06ba7e55a7f88fe32

SHA1
29ff322f36bac6da528b99d24b8cad910dfa0b9d

SHA256
b97bd739bb3ac2c527ca7b656ef76974ecc01980e57c7bbdd26960a7494cdc64

SHA512
8e5cbcbb7e804e5859a32c42cbde89dd80ceb1c40023ed65aeec2410c983092374cf4f136c689e4adb0538f69da0c2ca2c6385b8d473ef50f8640f063f4fbc58

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
89KB

MD5
27f8ae99cfe27634291c9ba36e1ced1d

SHA1
fd8dd9591a23fdec52ce5261c30d78a091f8e8b7

SHA256
8f76d204a2189c4c2fa6f1f04383e5d09c3bb66eaf0432e9f05f0bb83ac2a59e

SHA512
567721e5c19ba1763f4c3dfeaab4c879eb382aa5e657f9df44d1c8afe8c2b5182a9358d44e1cb6b98b15ba36b5cf34eb9b02d301b27d688afa635086645704ac

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
89KB

MD5
0492f1c74236d4adccc8e47efee36ec3

SHA1
8fa526d08b19c963167bc7d356b812f436d4000a

SHA256
111361b00b3818be5296b2976a2f130ef1d3b2b7e9e76b11716d17f5ec3607db

SHA512
abaf6af781aa40370447b1a1dc18d3fdc32a167440197959bb86f342929d147cafe94ae81ba5241ec25312db9ad5d354b56f08defe9dbd326aaae3d96c394d79

Download Submit
memory/368-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/484-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-525-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/652-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/724-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1248-595-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1420-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-530-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-590-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3120-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-542-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-598-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-563-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-591-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-43-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-532-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5160-603-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads