3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902_NeikiAnalytics.exe
Size

72KB
MD5

a730b7cb8610cf40fa13efb941582bb0
SHA1

d53e3a9de667297479337eb71a49d33d325e6610
SHA256

3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902
SHA512

e04c1666bf03cbd049114451f8834050018dc80592641153fc8bab09df169933b6ea1e97b97512e0e51e06c48f2270ff382178443420bc896ab536f8c8e8e37b
SSDEEP

1536:76wwWlQcXNN9MCpvWDwv6miPgUN3QivEtA:fvln9kC0wv6miPgU5QJA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe

Executes dropped EXE 64 IoCs

pid	Process
4820	Fokbim32.exe
1556	Fjqgff32.exe
4048	Fmocba32.exe
2536	Fcikolnh.exe
2912	Ffggkgmk.exe
4992	Fjcclf32.exe
3588	Fmapha32.exe
2880	Fopldmcl.exe
2084	Ffjdqg32.exe
4808	Fjepaecb.exe
1724	Fmclmabe.exe
2924	Fobiilai.exe
4032	Fbqefhpm.exe
4272	Fmficqpc.exe
3656	Fodeolof.exe
4224	Gfnnlffc.exe
2576	Gimjhafg.exe
4256	Gqdbiofi.exe
4628	Gcbnejem.exe
4864	Gmkbnp32.exe
1372	Goiojk32.exe
4956	Gbgkfg32.exe
2652	Gmmocpjk.exe
3380	Gpklpkio.exe
4672	Gbjhlfhb.exe
2284	Gjapmdid.exe
3796	Gmoliohh.exe
1060	Gbldaffp.exe
3468	Gjclbc32.exe
4816	Gmaioo32.exe
2088	Hclakimb.exe
1348	Hboagf32.exe
428	Hjfihc32.exe
1892	Hpbaqj32.exe
4920	Hcnnaikp.exe
4880	Hfljmdjc.exe
3648	Hikfip32.exe
1552	Hmfbjnbp.exe
4932	Hcqjfh32.exe
4488	Hfofbd32.exe
3472	Hmioonpn.exe
4068	Hpgkkioa.exe
1576	Hfachc32.exe
2636	Hippdo32.exe
4324	Hpihai32.exe
2052	Hbhdmd32.exe
3948	Hjolnb32.exe
2140	Haidklda.exe
2896	Ibjqcd32.exe
2592	Ijaida32.exe
2072	Iidipnal.exe
4576	Ipnalhii.exe
2628	Ijdeiaio.exe
1664	Iannfk32.exe
3912	Ibojncfj.exe
2980	Ifjfnb32.exe
2392	Iiibkn32.exe
3244	Iapjlk32.exe
544	Ibagcc32.exe
3816	Ijhodq32.exe
976	Iikopmkd.exe
1696	Iabgaklg.exe
4012	Idacmfkj.exe
804	Ibccic32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6232	7136	WerFault.exe	254

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gimjhafg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4820	4468	3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902_NeikiAnalytics.exe	82
PID 4468 wrote to memory of 4820	4468	3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902_NeikiAnalytics.exe	82
PID 4468 wrote to memory of 4820	4468	3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902_NeikiAnalytics.exe	82
PID 4820 wrote to memory of 1556	4820	Fokbim32.exe	83
PID 4820 wrote to memory of 1556	4820	Fokbim32.exe	83
PID 4820 wrote to memory of 1556	4820	Fokbim32.exe	83
PID 1556 wrote to memory of 4048	1556	Fjqgff32.exe	84
PID 1556 wrote to memory of 4048	1556	Fjqgff32.exe	84
PID 1556 wrote to memory of 4048	1556	Fjqgff32.exe	84
PID 4048 wrote to memory of 2536	4048	Fmocba32.exe	85
PID 4048 wrote to memory of 2536	4048	Fmocba32.exe	85
PID 4048 wrote to memory of 2536	4048	Fmocba32.exe	85
PID 2536 wrote to memory of 2912	2536	Fcikolnh.exe	86
PID 2536 wrote to memory of 2912	2536	Fcikolnh.exe	86
PID 2536 wrote to memory of 2912	2536	Fcikolnh.exe	86
PID 2912 wrote to memory of 4992	2912	Ffggkgmk.exe	87
PID 2912 wrote to memory of 4992	2912	Ffggkgmk.exe	87
PID 2912 wrote to memory of 4992	2912	Ffggkgmk.exe	87
PID 4992 wrote to memory of 3588	4992	Fjcclf32.exe	88
PID 4992 wrote to memory of 3588	4992	Fjcclf32.exe	88
PID 4992 wrote to memory of 3588	4992	Fjcclf32.exe	88
PID 3588 wrote to memory of 2880	3588	Fmapha32.exe	89
PID 3588 wrote to memory of 2880	3588	Fmapha32.exe	89
PID 3588 wrote to memory of 2880	3588	Fmapha32.exe	89
PID 2880 wrote to memory of 2084	2880	Fopldmcl.exe	90
PID 2880 wrote to memory of 2084	2880	Fopldmcl.exe	90
PID 2880 wrote to memory of 2084	2880	Fopldmcl.exe	90
PID 2084 wrote to memory of 4808	2084	Ffjdqg32.exe	91
PID 2084 wrote to memory of 4808	2084	Ffjdqg32.exe	91
PID 2084 wrote to memory of 4808	2084	Ffjdqg32.exe	91
PID 4808 wrote to memory of 1724	4808	Fjepaecb.exe	92
PID 4808 wrote to memory of 1724	4808	Fjepaecb.exe	92
PID 4808 wrote to memory of 1724	4808	Fjepaecb.exe	92
PID 1724 wrote to memory of 2924	1724	Fmclmabe.exe	93
PID 1724 wrote to memory of 2924	1724	Fmclmabe.exe	93
PID 1724 wrote to memory of 2924	1724	Fmclmabe.exe	93
PID 2924 wrote to memory of 4032	2924	Fobiilai.exe	94
PID 2924 wrote to memory of 4032	2924	Fobiilai.exe	94
PID 2924 wrote to memory of 4032	2924	Fobiilai.exe	94
PID 4032 wrote to memory of 4272	4032	Fbqefhpm.exe	95
PID 4032 wrote to memory of 4272	4032	Fbqefhpm.exe	95
PID 4032 wrote to memory of 4272	4032	Fbqefhpm.exe	95
PID 4272 wrote to memory of 3656	4272	Fmficqpc.exe	96
PID 4272 wrote to memory of 3656	4272	Fmficqpc.exe	96
PID 4272 wrote to memory of 3656	4272	Fmficqpc.exe	96
PID 3656 wrote to memory of 4224	3656	Fodeolof.exe	98
PID 3656 wrote to memory of 4224	3656	Fodeolof.exe	98
PID 3656 wrote to memory of 4224	3656	Fodeolof.exe	98
PID 4224 wrote to memory of 2576	4224	Gfnnlffc.exe	99
PID 4224 wrote to memory of 2576	4224	Gfnnlffc.exe	99
PID 4224 wrote to memory of 2576	4224	Gfnnlffc.exe	99
PID 2576 wrote to memory of 4256	2576	Gimjhafg.exe	100
PID 2576 wrote to memory of 4256	2576	Gimjhafg.exe	100
PID 2576 wrote to memory of 4256	2576	Gimjhafg.exe	100
PID 4256 wrote to memory of 4628	4256	Gqdbiofi.exe	101
PID 4256 wrote to memory of 4628	4256	Gqdbiofi.exe	101
PID 4256 wrote to memory of 4628	4256	Gqdbiofi.exe	101
PID 4628 wrote to memory of 4864	4628	Gcbnejem.exe	102
PID 4628 wrote to memory of 4864	4628	Gcbnejem.exe	102
PID 4628 wrote to memory of 4864	4628	Gcbnejem.exe	102
PID 4864 wrote to memory of 1372	4864	Gmkbnp32.exe	104
PID 4864 wrote to memory of 1372	4864	Gmkbnp32.exe	104
PID 4864 wrote to memory of 1372	4864	Gmkbnp32.exe	104
PID 1372 wrote to memory of 4956	1372	Goiojk32.exe	105

C:\Users\Admin\AppData\Local\Temp\3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3da3d5dce71b78d0a45716e27545cd592c45b0b7782c44a4a339bba1763b6902_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Fokbim32.exe
  C:\Windows\system32\Fokbim32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\Fjqgff32.exe
    C:\Windows\system32\Fjqgff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\Fmocba32.exe
      C:\Windows\system32\Fmocba32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        37⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        38⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        39⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        44⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        46⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        50⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        51⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        55⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        56⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        59⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        64⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2856
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        69⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        70⤵
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        71⤵
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        73⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        74⤵
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        75⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        76⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        79⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        84⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        85⤵
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        86⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        88⤵
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        89⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        90⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        93⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        94⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        95⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        97⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        103⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        104⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        105⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        106⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        109⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        113⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        114⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        117⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        118⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        120⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        121⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        124⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        125⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        129⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        130⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        131⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        132⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        133⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        135⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        136⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        138⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        139⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        140⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        143⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        144⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        145⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        146⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        147⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        151⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        153⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        155⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        156⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        157⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        158⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        159⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        161⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        162⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        165⤵
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        166⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        167⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 408
        168⤵
        Program crash
        
        PID:6232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7136 -ip 7136
1⤵
PID:6192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
72KB

MD5
4e067245ffa0eeb84e369241e4a4f96c

SHA1
c65062ac666cd4068793a41f742acc326a572a6d

SHA256
549564fe4dc818736c252e577488af4140ee7349319d3564d361ef26f98a31e6

SHA512
b21058f53b19f5f2b349dd50a4d296030302e75d3a86fc26f2a7037e60a61e7a2c96d5c17bde96517b09fa99d2fca4e09df8af34c92e643f3ab42b2d16ef4e07

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
72KB

MD5
5163bc17ca45b6c45da4313dd629e484

SHA1
16cbd3f4092a307f54b9168895aaeae88a088160

SHA256
ca4145bd98612a3b80a9afee8681612b7631048180be14a1aa7abfbc6cd141eb

SHA512
c9fbb413ba73a861ba56165ded4972944f75e4be8b3977c26a12a6839258e46c2bf6b1d0c505b512c1cafc54f48ff6e81a1484ae210f4759779e54c1d3915209

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
72KB

MD5
607d924d2080b0d1b95f0f1c7f1ebe69

SHA1
716f3efec85d8bf92434ffd652154e34bb4ccc41

SHA256
2a8772b6b75fc40d140004604a76734a6d0b90ff82725ffbf13afb7d2bee32a3

SHA512
b2ac19d8046ebfed08201f3847f8ab7547c53c6aaef6d0907ccdb79d6ab74033d0dcd140e3fdb538b840ff3ef4ec6cec813508cd4211351be400c5aefcc85a31

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
72KB

MD5
dc2a2ce9b544327a032d7885d6dd3103

SHA1
162fc405a2a65be49c1126989d3d63d8987fc711

SHA256
692601044abae640bb315d5a6012ba8fac6384a5823eab1766ec9db12cf19415

SHA512
704269ec563a12d0ef1f3cfae47d50299e91eb4749fdefe3d157db05cd0e56107f39823b5d0fa95487911cbae4c40cbc3465579fee97aec7ebd8c802dcba9f3c

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
72KB

MD5
a96c484deabc1a3c5ff1632e189bad5a

SHA1
02eba187ca39df75e921e48713d051bf4ad3cbb3

SHA256
a7e56fd3e52d7b680053e1362b3e8d586a759e4b9af87b3ee59bf31270f5a672

SHA512
7d881647c4ca1db253aee22c129ae4cb4fa04227149b60898c5b82440efb2a36cf078d9f2b7c8c623119daccaf3ccf6a7fd87a56af5f20ef35c36531795ad569

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
72KB

MD5
979508797ca39d38cef50acd40a57e82

SHA1
7cedae999782743544db1b61d083025fe7f66d18

SHA256
b7dd50407b3e69e450dc3855b0e82152560ab26aafc6ce14f53008fe360ed12e

SHA512
ad6bc8a1a1720174812d8062950cc81d10534c0715e048be87385f232745872093411ec71d59dfeda90ef08a29e778845068579c627212195cd02a9a15480892

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
72KB

MD5
9f055c99e1ceddcbef833b69bcdeef8c

SHA1
d193f80a55d0acd2805c07e015931d6bfb6e5061

SHA256
3f180e9d463c7b972fb25a542bd199137994c5647d628c23fef2331284f3d935

SHA512
f7027e4db61e056e3111089f40cc00007cfb36bd4fbfc3544c22dba53efb2ea3822fb6b45bb13c9e2511bcb9b652a4541554becc810d76cb0414d1c699f706d5

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
72KB

MD5
3df751847739c348a541ff5e7a8c7f24

SHA1
67b170bcf5a6322950dba4c27a053a5a106006fa

SHA256
b2c79826d03273fe3bec1fb07e26c589e8b9c1831534a515dddfd9e4f87270f8

SHA512
c46eca341f5739f56bfca55270a96987149a10fb1bebd2ba95f2de7ef6b977ce4f2152d2b79976c6438c020a1c04ce5d255b7a1c4d62ae6f06b920fb6143aa43

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
72KB

MD5
61b0f4a46be18e41d41e1dab38227ff0

SHA1
ada9189a13c6f003bbce15d701534305dbfb22d3

SHA256
7bda36eb637ee18b897645c3ae4d5d3442fc0843b681eebee55e8ec311be4190

SHA512
3f96aed6ba2776dd31eab7aee7f0c53b98bb3e61f7fb4cc4ff79ba2bb07c33b97da8ebadc0213de99baf1d7cdd9e8713bfeecbe444d838e3e276468a8840a1b2

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
72KB

MD5
30b87f6ca1f628be67f194da78dce802

SHA1
84410c905eb804158a01d0580a2a59f6b69c93e9

SHA256
e37483370e39708c35298c1bc808ec445c4fefc5f6463e7318307e6d063de84d

SHA512
683a66a5be075ff5164aec2bedffd94b8acc09f8e02de8228d6ef7a85690efd33982e3d1471daeb0e6405bdad0bcde5be48fdcd3712ca6659a39eaacf396526f

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
72KB

MD5
fd7d44081428f81f8cb950351cab2c1a

SHA1
91ea494225e6b57c250f3db818fb45cc519ac0e9

SHA256
f230e6b6d9b6546443667395e548f77b4be0e8b079887ee646411a330960211d

SHA512
04b07f38e58a1764d5b6e8e73e65d844be12efa49d5ac00be6b49d1306408a57d8146e66e6abde405caf4c8e791711313dd0937724a60e66e2683bf830b1f8c2

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
72KB

MD5
4ddc46fd2caf050da870100a8fec98ad

SHA1
76c18acab16ab37f492f842d7d17b2d462f9165c

SHA256
484766f09dacc51424fdeaa40113d5bd581321324c54fde7f5c367001fbba15d

SHA512
085b0648ed9a07b41335b47c95e5af5519240217724c70e9e76702834ae27e7cd8cf03d094000c09dd8cf21cba637fc0e9749a7dc1843cf346d09c0a2cee1200

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
72KB

MD5
3c6aba667fdd63bf4d41fa6259a8b0f1

SHA1
de1f83d8e643bb65b55e97e52eea2e630d9409f3

SHA256
1e4693a9c440a5e56a2a7a311476a9ead6d4c682ed818e3fd1392290bbdbe9b0

SHA512
90d4812bfe5744c1184507f83cfa5dc588162da6ac0fb1de2c718ad3ec4680cafc423b8ccbe5e747ae9b1c56415b47680a943451d2c945e818c837cde52dd166

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
72KB

MD5
cbda6047be09b7552a3cab6c6b75877f

SHA1
bf17c842cfee8c6d69be9ea159e973e6b18be3ac

SHA256
b8c442b1881532c29a8b3601b8b39194e32cb9763836d3628213db17f5deabd0

SHA512
13ff340dee329310e4ce5ba75a502775b3f37c2cbacd68abd16006d7862b59947d4a1e8817c6373992c5b45dcff0fddc8290d28bd317b6d1a450d8a125621ed0

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
72KB

MD5
ee5d52716a9399770199143cf6d449d3

SHA1
176fac7f6c993d2042a7f012da7255dca6b0230f

SHA256
f8064b836877df3d63906885f94c74a3e1ae883937020e93206f470ec7c47582

SHA512
4c5b2524c77229d891134f3e9931018daac7f1c355e30dd5cedd35e3cd2eeab72e6bc03e3834abdf93c79e527bf67a5d0003b791ee9e330f3d0920f95972616f

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
72KB

MD5
4e200a47f0892b0c7fa3611de183d7d5

SHA1
3653898b50b1aad9ada36de9bd223ac3cd54fc84

SHA256
ee0096cc5ed11ee25a2fc2155ce2b4fe1452e18ffb5d0a63af57cdea26529fa5

SHA512
dd3731d26d27031a567927a27e3cb679bc2273141afd0ac391394f01953298f0f9bf01410d178a6b1a1e53981c398d494f536e7ac321675dbc5c5632ad0e4a32

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
72KB

MD5
36a565e6e4d694f05198012a70b34aba

SHA1
027b98e489199351e4094611aa597d928a157660

SHA256
7122fd0d436b4cdeca4da20469ebd152e110bac563c79844458dc597881a3a90

SHA512
244dc608c7a064d2f4c2e647f0e4010bd20370c84b09b5f31d060e086609a90c2ae8d22b7791c050495a8364519c3469a11acb31b5d35c617d12e8c7e651121d

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
72KB

MD5
e822318054a93ab402cd6922bc3c60d3

SHA1
d40d14dfc60797e930742ba4867704370ef24563

SHA256
08858ca146cf557adae07d2b2eacecd1be3a42ccd115a6202ffceddef4ce1316

SHA512
8d94c914eae5b2dba452d9fb69900bda7a148bf4d79f31f41171f5d7a395566189e5553097a1ca513bce0fe786b5525b12a5f769bdf60a7ee45c32d878931c51

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
72KB

MD5
414cadccfe91a475cfc5e60c9fde57d0

SHA1
b5712f023426adbf689a66d4a70c24a09ac6fb63

SHA256
29b381d4ffab8fa171737cb377d2b2cb2e7176bb2f1ddcbf255dc3dffda8852f

SHA512
7a3716e80687719827b8395e8934441bf4c578e177e858cc25d4f49d522174b30352fe95b9f5519a38b7b51a356d032bd5a866719529e4c9a49fdf61b53d820f

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
72KB

MD5
31bfd248a9297ff8019fe859b83e9e73

SHA1
068b1dde1ca43c2b214bd7e9f71aee0ef0e2d054

SHA256
6d1efecd363d529c7ff51f669b3ebab91507691f066daf1df7b4df0b50bfda36

SHA512
ecf12e4a5178018023f2978bb66017b5819c0dd2d49b575272ab027f133e4f36c3a6bb97814a8e3d4da2ae9a47b9b2a8800ad52e876c45029f81d537e593a518

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
72KB

MD5
063d5e266cf2e050241333c98a645fa1

SHA1
cb50b18906822da9c56a26d5f84f540d17709947

SHA256
7d540eb21a474ceebeeb0b1385ab00173f9c4307ff9df52536d58d468e7d73da

SHA512
ec130e398c8bfcb05f4d41a17716fc99ed7680179c2ea88aff00ae6472301254d490707a46cb38ed02f5b879723d655b09521b6bb0c2410c7a2ecd1a5d057b5f

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
72KB

MD5
a1f81922cb6243f0763fe4be9fab8a97

SHA1
80d52d439d168830a9ff7bab449ef4d6289a3bdb

SHA256
6eaaae095c3ed298099963ef86b0f229357b2f364518490ca2da3360a6ac8864

SHA512
377eaa46a15f6481c1b589b05e4008c9a8e152ecc0d7b0422e9975f4b728236a77976b1eaef6ae54a81251cfc074b50279ed8af89a576d568651375413397c1c

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
72KB

MD5
535c1305c305040838d38496c7eb8d42

SHA1
08a7422459cf4447918831e355904a72bad0ad7a

SHA256
59d22eb704c65c91c057cff041ea2fa4ce43da2f8f97c32a295c9bd511204736

SHA512
6bec730830f846a2d9192038e530a259e622ace9e0588177e356ed90ede81968624c22bfc10dbc256f0e3b861f761ccca5bb6e91112dc2e54b07c993a27c0aae

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
72KB

MD5
be7ef95b82122f2c5392bfc61924cab4

SHA1
3cffb8e11ac2e6f0dc9eb198e993fcd0c4177ae2

SHA256
06a253b5c69fe9c9f222a33ac643d8c8a36b77aa5f223d6616fa6323b23d662d

SHA512
82ead549cd2c4301deb32acf9378f3d05b87fe1d5d7ea819d3e2882fb08fa1d05ea7c84e1339072b5742a70396a070dea557de0763d7feba6564617a0f0c589e

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
72KB

MD5
fa8bb23b4af8edd03a90d84e9c767d9a

SHA1
4f35c26d63419e188e49a89f7223cf238ef309ea

SHA256
3f25d124cf1bad4cb060141605f96446fb1e9c5e8da817aa285a8261c6aeda9a

SHA512
f5c191b52beb860594b0d04918699bb40370983c6655df49a28e2125622103a005ae6e46b55cb2261dd733a52f9e2d24cff895907d61dc70c5d228f445a1046e

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
72KB

MD5
d51dea10a5f3d52132dd2a73826b31e7

SHA1
a4a61f3ed94222868e68b7a593bddc5b6619a6e9

SHA256
8dd407770508c88a6073acf19be98386f07a932c5d3dfe5681d8fe7ce3526e9c

SHA512
9f54fd41ad06f7f4d4d34eadf4d93b1abb573915e93c66e0a73b94dcfb103d55702d42e8ae41bbc4a58d52bc34dd2ef6f41b49b2184f8ff8f859f71619af8157

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
72KB

MD5
f5f500a1c85624918b311cb28f21cb11

SHA1
cade7552eaf1bb206515e2582af916148d7c4ac7

SHA256
37173a549830525efdc90294c7ebe3b91c16a03f4006e601429c6b7dab7aa8b9

SHA512
b61c9c15aecd8e1c4c8a2f116ee39868d8973e73a90918faabc2c9dcb612721a3afe9b33359d147e2ced4eb99b7685028a0580fe2a69d1a4643e888dd911f14e

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
72KB

MD5
c78ab56370187d7fa93e27961074e4a7

SHA1
df1bd2ebf4ce1abbe1b4a76106724b4ef4dc30b8

SHA256
b16bad0d72a2d140dd0fa84c08542e75b79e8aac48fe969802ce9b1f3a881e84

SHA512
c4aae412df35a45f89091aa6724f5ae33a9518ef811751a65753ae59980b36059b99e2efa22498a95331ffad2cafeaa8eab04526ec9cc202190f808c812e315e

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
72KB

MD5
13b52a0e3654ce919741e8d9ac3eb01f

SHA1
d411c8fce8ae97870d91f47cbf7a60a9749c351b

SHA256
73e4c4d092ded0390358bf5e3d29fbf742c4d330ab5a3d3c435c47b0eef97454

SHA512
2e25507928e14c1adb2f434d108ff21c41812c01235c740ccb471ae4cd578c672c0afd486a3e5003456b4fa55042577a4ef0a7d296a0b76e6b9ddbe426e9a99b

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
72KB

MD5
2090a8195d8687f2aa882b83882a3a74

SHA1
2c7c8ba5fcb04a98db4ccf93896eb9e1182ce578

SHA256
8af89831436eb027f410aadfd063694fa2912996dd9b537a0042b0283f9d7218

SHA512
7c9ae62016dbc5ba5c6527eb68a3f1659b7f044d4f060c3d0908e1b45df15b30a16db4ad23bf84c244c6962859ad097737b2c740d3cefa4e13b4c02e3d4bb56e

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
72KB

MD5
cbfab7892fa5ec5aa0bba9fe7f97088f

SHA1
276ec2b7fd024067634478795671188e3a448ae7

SHA256
0abb880f3a03a959006bba42b93ee6e1b0eea1ebbb14c4d4d6faac8a566951a7

SHA512
05eb504fd7f3b38290cd8582eeefd77ea93a135b7f83b7d1b923a484db4534a0aa95820156d51c66cc522481e0ab5572860c838c1a8878b1237bd181cb0b1905

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
72KB

MD5
4030cf2aa5af0e31658c38b79825540d

SHA1
13885580ac1936c060be75daea8924551a2f9e23

SHA256
3a30218ab217af17094cbdf4cd5531f2d28dfa3000a38f77f14121426a696e3e

SHA512
2f53f958b9d01db5a492a4a55561e68e7f9bae143d764e2767f613b83e6ccd2acd0e7144d425dbe3421b675a3871edf26b9efaafc17a6f548dfb34b7a0b84019

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
72KB

MD5
8a6b0dfa9ef5847b44b51c2579bf4c16

SHA1
b0ff7ce0f71829461444199ebbac2601c342be23

SHA256
5df6c24a4eeaf3c89be868533856472fdc92ee6a20f716080af67c0be3c9d8ad

SHA512
54c0e4b8233ec6453b5cd96cca9be1bf5ae9eebc13dda28ffca3e6f52adecc21b987fdf21e9b1b905acec6f9fdfa920dd0b362e75767171116cc0e77a26425dc

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
72KB

MD5
ee6d29efe5695266ce55be102781d044

SHA1
da966a73125025c9835700f566e022de63385d5a

SHA256
750e4ff8ee90c5cacb622d673a5af961117c462c053fd0392ea78732beef3605

SHA512
a1837cd792c1762622c49a3c3ec256ddafc9719ab82699d6f1712d45ea763d1d14415bf0f6f907fd59c21fcd01c7b76eec6823a0783a50317c297b73988ea48a

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
72KB

MD5
b4893275888f71958d9cb029c24dc58b

SHA1
2380a2e05e146a786b98ea4a334b378521052502

SHA256
da0d63f24626846b65ac30da93b2c8f213d3a286ba45411178218aac895518ac

SHA512
1fd19fd002f0be7ee1b4d1f74f206f58a1bb235e31024630217440fba4ded9db89c76d1e89bd035598e87879cb7455636fb5fdf50c62b67c11310ceadd1e9255

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
72KB

MD5
9f185d88b25e126e96faf285ee9a14f9

SHA1
42f26ac0277b9be665e282fdc2084747d949d9c8

SHA256
40f72a3d7a529c59d6a176428fff3a28d361e6f3eb16f47881bb3bcbde79fee2

SHA512
27fa88835e0001a2e19a0ffd0893d66bd71a3176de3e0193d5d0cdb4dda0484814f0ca75ed5e51e79aebeb6a2ed1c3563def9fe376b0390423c3f48d0004f931

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
72KB

MD5
87dacdff10279a3883ce47ce6cd0c492

SHA1
6a4ad2b4e2dfdaf86046d548fbf5dcb784bd54d3

SHA256
da699847a6b244f1d3d0ddafe843a9f7a7a69ca86657f5c158d5406328ab0f45

SHA512
a5d065e62f2f2b7502a60cf0a89298defe8c1e5ec6132ae72599d9ada431f32cd02a262d162756d63fd3cea66a3fc0f8e53d551a257172b4cb8498dd87e243b6

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
72KB

MD5
86b8fcac7eb516efed4f17433dad1562

SHA1
1d4d7c1c02659337b8b1d9f8dfb87f30a697b8e4

SHA256
d21cf15985827215b72f2423730a4d7084ceb26b9ee1e0f56e150ce33f80b389

SHA512
8a77dfd18916855e973f75b40295d6f6bd92732915572dcf446ddf7a668b616ac74713395ab3f53b41412c329f37fec0352d30cebe304946edcd3b440bb843db

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
72KB

MD5
ff6ab88964f107f8d2dc3b7bde6a3339

SHA1
2ed90ccd25d69734bab23cb35aaed32558b7ba4c

SHA256
2ccfece22a3523461771d06d211bbdb8a054c369c9f8bb63dafe2d1cdd006093

SHA512
03e8f6de7cc35a2072496ce2f680b24a97eb6474e5204326bb22a44a068ac1db205fe1966bf7f50dc0911bb54f8a6b3a9f8789241e657286a150784a7e5ac73d

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
72KB

MD5
583d448d6774a146731e67e90ddc367c

SHA1
6293d1f77fa8d3fedb7e7cbd5966e5432db5fa38

SHA256
5cc6f6c9ce02c06c0a3d45a230b55b75792e280f1d8fa549112cb615ccce82f9

SHA512
d6bc4e6f657a55aa2eb5984365ad626b18d266282d4ebfc58239c8d2a182d57322d5938e00deabfa89eebfc0d984cbd23fb32219db1fe3011631eb1dcb253991

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
72KB

MD5
0f02659271db5ac225657f2904e43f68

SHA1
ccc065909945dd5c19e596d4cab30f883e585135

SHA256
2a8ff28a0aa76325a8f03e905c8a70f53c2057105c0b6bc58743927dac889124

SHA512
ee64c5172c37223cfbb481214964705c0c8e6be9d6c03484fe84164b3b9537820edcdeede7d70d65ebd033c17a4bc5fb1ec4a3129dd9c46547951a3aa9ad5f8b

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
72KB

MD5
eaaf3a1f320e7fd3d1b9d1e7bf0e9e4e

SHA1
b76327a517748646f21a62bc607dfd1108119475

SHA256
b80662c16e41d0026632128cb094ece3b191b9376b7a21ca64a9ac9076230390

SHA512
66149679cacc43579723aeb0cd95fe0f6a8dc9cb7a290c4bd46606dd41742356655c3f6547b546f1ad7238e5fc7a5f9700d74b5bacdf3afc8a9fc008249574f7

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
72KB

MD5
cdd66c49b547e49bc7b722b2695aaabb

SHA1
eae216d46b05ca49ddb2ce49a44feda36fcef1eb

SHA256
3a1883080a42bcf8f420f6cb9d3b7de51f49e2eaed19ea0fa50f532e3049f975

SHA512
f58fa964f8e5c7053646b10b154a1da543b21fed9b6ea6cfe8659991e5842816cb4ddcf16e29c28b5c5f7df74e6c59ee3ffb29425ceef8fbbded25377009bc27

Download Submit
memory/428-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1372-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1664-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1892-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1892-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-446-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2576-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2576-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2636-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2636-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2880-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2880-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2896-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3244-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3472-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3472-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3656-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3656-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3796-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3796-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3912-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-445-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-194-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4256-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4256-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4324-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4324-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4488-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads