df8859015e93d01c40e403b86a7c9db184f7875053cb09463a6b1f89529d9ac7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d01c9eb9556b8d24e7199adb23862d0_NeikiAnalytics.exe
Size

192KB
MD5

1d01c9eb9556b8d24e7199adb23862d0
SHA1

c94cb7a45a28e03e27ebf1ccd954b7730b573069
SHA256

df8859015e93d01c40e403b86a7c9db184f7875053cb09463a6b1f89529d9ac7
SHA512

7f35c185b8f3ada7db6c599f407e53eac645785ef24add09a99dce6a162f2701a1569b6635440ff0be4537c897b544639d844710dcb3bbb808f96702c97c3a08
SSDEEP

3072:9VBNRAcf0a51W24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424hoc:L9AC0az7sFj5tPNki9HZdc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe

Executes dropped EXE 64 IoCs

pid	Process
2908	Fqaeco32.exe
1492	Gbcakg32.exe
1108	Gogbdl32.exe
4440	Giofnacd.exe
4664	Goiojk32.exe
2644	Giacca32.exe
3060	Gpklpkio.exe
2712	Gfedle32.exe
400	Gidphq32.exe
2380	Gcidfi32.exe
1592	Gfhqbe32.exe
784	Gifmnpnl.exe
1056	Gppekj32.exe
1752	Hboagf32.exe
1820	Hihicplj.exe
4304	Hpbaqj32.exe
2052	Hjhfnccl.exe
4284	Habnjm32.exe
1796	Hbckbepg.exe
436	Himcoo32.exe
2208	Hadkpm32.exe
672	Hbeghene.exe
4856	Hmklen32.exe
4088	Hcedaheh.exe
4520	Hjolnb32.exe
4248	Haidklda.exe
5072	Icgqggce.exe
956	Iidipnal.exe
4356	Ipnalhii.exe
4208	Ibmmhdhm.exe
3312	Ijdeiaio.exe
4496	Iannfk32.exe
4240	Icljbg32.exe
1704	Ijfboafl.exe
2388	Imdnklfp.exe
5036	Idofhfmm.exe
4876	Ijhodq32.exe
5032	Imgkql32.exe
2424	Idacmfkj.exe
4872	Ifopiajn.exe
1152	Imihfl32.exe
2980	Jdcpcf32.exe
1220	Jbfpobpb.exe
5060	Jjmhppqd.exe
3616	Jmkdlkph.exe
3696	Jpjqhgol.exe
3104	Jfdida32.exe
4216	Jjpeepnb.exe
2184	Jaimbj32.exe
4840	Jdhine32.exe
2628	Jfffjqdf.exe
1728	Jidbflcj.exe
2344	Jaljgidl.exe
2000	Jdjfcecp.exe
4980	Jfhbppbc.exe
4996	Jkdnpo32.exe
5004	Jpaghf32.exe
3624	Jbocea32.exe
3748	Jkfkfohj.exe
5096	Kmegbjgn.exe
4800	Kpccnefa.exe
3692	Kbapjafe.exe
2588	Kkihknfg.exe
3876	Kacphh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5636	5928	WerFault.exe	222

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2908	4120	1d01c9eb9556b8d24e7199adb23862d0_NeikiAnalytics.exe	82
PID 4120 wrote to memory of 2908	4120	1d01c9eb9556b8d24e7199adb23862d0_NeikiAnalytics.exe	82
PID 4120 wrote to memory of 2908	4120	1d01c9eb9556b8d24e7199adb23862d0_NeikiAnalytics.exe	82
PID 2908 wrote to memory of 1492	2908	Fqaeco32.exe	83
PID 2908 wrote to memory of 1492	2908	Fqaeco32.exe	83
PID 2908 wrote to memory of 1492	2908	Fqaeco32.exe	83
PID 1492 wrote to memory of 1108	1492	Gbcakg32.exe	84
PID 1492 wrote to memory of 1108	1492	Gbcakg32.exe	84
PID 1492 wrote to memory of 1108	1492	Gbcakg32.exe	84
PID 1108 wrote to memory of 4440	1108	Gogbdl32.exe	85
PID 1108 wrote to memory of 4440	1108	Gogbdl32.exe	85
PID 1108 wrote to memory of 4440	1108	Gogbdl32.exe	85
PID 4440 wrote to memory of 4664	4440	Giofnacd.exe	87
PID 4440 wrote to memory of 4664	4440	Giofnacd.exe	87
PID 4440 wrote to memory of 4664	4440	Giofnacd.exe	87
PID 4664 wrote to memory of 2644	4664	Goiojk32.exe	88
PID 4664 wrote to memory of 2644	4664	Goiojk32.exe	88
PID 4664 wrote to memory of 2644	4664	Goiojk32.exe	88
PID 2644 wrote to memory of 3060	2644	Giacca32.exe	89
PID 2644 wrote to memory of 3060	2644	Giacca32.exe	89
PID 2644 wrote to memory of 3060	2644	Giacca32.exe	89
PID 3060 wrote to memory of 2712	3060	Gpklpkio.exe	90
PID 3060 wrote to memory of 2712	3060	Gpklpkio.exe	90
PID 3060 wrote to memory of 2712	3060	Gpklpkio.exe	90
PID 2712 wrote to memory of 400	2712	Gfedle32.exe	91
PID 2712 wrote to memory of 400	2712	Gfedle32.exe	91
PID 2712 wrote to memory of 400	2712	Gfedle32.exe	91
PID 400 wrote to memory of 2380	400	Gidphq32.exe	92
PID 400 wrote to memory of 2380	400	Gidphq32.exe	92
PID 400 wrote to memory of 2380	400	Gidphq32.exe	92
PID 2380 wrote to memory of 1592	2380	Gcidfi32.exe	93
PID 2380 wrote to memory of 1592	2380	Gcidfi32.exe	93
PID 2380 wrote to memory of 1592	2380	Gcidfi32.exe	93
PID 1592 wrote to memory of 784	1592	Gfhqbe32.exe	94
PID 1592 wrote to memory of 784	1592	Gfhqbe32.exe	94
PID 1592 wrote to memory of 784	1592	Gfhqbe32.exe	94
PID 784 wrote to memory of 1056	784	Gifmnpnl.exe	96
PID 784 wrote to memory of 1056	784	Gifmnpnl.exe	96
PID 784 wrote to memory of 1056	784	Gifmnpnl.exe	96
PID 1056 wrote to memory of 1752	1056	Gppekj32.exe	97
PID 1056 wrote to memory of 1752	1056	Gppekj32.exe	97
PID 1056 wrote to memory of 1752	1056	Gppekj32.exe	97
PID 1752 wrote to memory of 1820	1752	Hboagf32.exe	98
PID 1752 wrote to memory of 1820	1752	Hboagf32.exe	98
PID 1752 wrote to memory of 1820	1752	Hboagf32.exe	98
PID 1820 wrote to memory of 4304	1820	Hihicplj.exe	99
PID 1820 wrote to memory of 4304	1820	Hihicplj.exe	99
PID 1820 wrote to memory of 4304	1820	Hihicplj.exe	99
PID 4304 wrote to memory of 2052	4304	Hpbaqj32.exe	100
PID 4304 wrote to memory of 2052	4304	Hpbaqj32.exe	100
PID 4304 wrote to memory of 2052	4304	Hpbaqj32.exe	100
PID 2052 wrote to memory of 4284	2052	Hjhfnccl.exe	101
PID 2052 wrote to memory of 4284	2052	Hjhfnccl.exe	101
PID 2052 wrote to memory of 4284	2052	Hjhfnccl.exe	101
PID 4284 wrote to memory of 1796	4284	Habnjm32.exe	102
PID 4284 wrote to memory of 1796	4284	Habnjm32.exe	102
PID 4284 wrote to memory of 1796	4284	Habnjm32.exe	102
PID 1796 wrote to memory of 436	1796	Hbckbepg.exe	103
PID 1796 wrote to memory of 436	1796	Hbckbepg.exe	103
PID 1796 wrote to memory of 436	1796	Hbckbepg.exe	103
PID 436 wrote to memory of 2208	436	Himcoo32.exe	104
PID 436 wrote to memory of 2208	436	Himcoo32.exe	104
PID 436 wrote to memory of 2208	436	Himcoo32.exe	104
PID 2208 wrote to memory of 672	2208	Hadkpm32.exe	105

C:\Users\Admin\AppData\Local\Temp\1d01c9eb9556b8d24e7199adb23862d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d01c9eb9556b8d24e7199adb23862d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\SysWOW64\Fqaeco32.exe
  C:\Windows\system32\Fqaeco32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\Gbcakg32.exe
    C:\Windows\system32\Gbcakg32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\Gogbdl32.exe
      C:\Windows\system32\Gogbdl32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        25⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        26⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        27⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        31⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        45⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        47⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        67⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        68⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        69⤵
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        70⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        71⤵
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        73⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1396
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        77⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1524
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        80⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        83⤵
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        84⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        85⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3044
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        87⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        89⤵
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        90⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4108
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        98⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        100⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        103⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        106⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        108⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        110⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        112⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        116⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        117⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        118⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        122⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        124⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        127⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        131⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        132⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 400
        137⤵
        Program crash
        
        PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5928 -ip 5928
1⤵
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
192KB

MD5
482c57a091c6d8cfc9e74468dbe3b63a

SHA1
cefb722a628fdfb41784be4bfa950b4ea0cea25c

SHA256
f29875330066a90618be892f35a7abfd7c06158b6b119d507bc69ebf5193fe0d

SHA512
d3ac40feec135708e4a1691f3f150c52d29e851f73b7c2f22e65cbe25e9af2f081c11c33764b415470a7889e9917e13dd2604d46504c33ebced289d978b88ccd

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
192KB

MD5
eec188b16d190ca8445fc54442135301

SHA1
4b94f69e4e63809e5572b29824ffb036e6563c21

SHA256
07dcdedc62ceac2d3b71b99deff59d74588617625e5b8aa1398de65720b71963

SHA512
155b949c28be55b63a53b64858707d97fcaf3689097f6293efd1436db1faf1a3e7344255f8a0648c0b0a29c6e72744ca2e40c291b378204eccaf4651886d09dd

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
192KB

MD5
07a82abda4fe160448ab5b59830a7dc8

SHA1
d517a45a04c8f767689e32e3ca324c168c185d8b

SHA256
a555820f28a363368a474fe199d907a7e81651984722500f35cd084bb605ae58

SHA512
d595e73fe56439744fe3263f728bc245838dcda4a809708788790bd084819458e9a817a15c6a3bb39b7665b38a3c2e3c2c55d7139c634c24b438529ba03c28e2

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
192KB

MD5
e0dc38c1f807f41ef8c5ed40d9bfe961

SHA1
0efe97a508ce0756108acbb5fa627373f73ae7f4

SHA256
555def8044ca3b75cf48d602707e3bf0257bf5786056f84b53a859324d40fa5c

SHA512
01e29badccd99689bce3a322d0e0318271800759cdf9020c8db194712cbb026c24b1cc2f1de3065f9c4c40b2cec566c8e77a3f3df9f641f9d10e38d048b384a3

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
192KB

MD5
b26b83a6bf3f54f83f1d878025b47bbc

SHA1
a462a6f1d8bb7d60c4fdf92092bfefba9935e6b8

SHA256
a0095b3d26244c6a9cbd5f576456c5c8f0bc44b3254f789354c3daa2cdb19ead

SHA512
acab7048cff5045b0812541990c6bb7fc3c204aaa779eaa70080f92b6645802b33b16fa9da5417fb21e7bfbec22773fd9d473f7f404fa13d54f0336293df6266

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
192KB

MD5
1906d90503ac8b1b7a29cd66f9c91ade

SHA1
a9f0da747490e6da1b3128dc71b264db36b74d9f

SHA256
f5b24c2ec0768859509be88d6df3ef6128d901017f0a2af00113922d158bc515

SHA512
0e2fbb6719792559fbf9e753559ecbdbd6d9918f9c815698288230ec9bd2568f9961265fd03ecee08fb8d103e2c8ff145fd85e3d6207784fd2111e6f02fc5174

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
192KB

MD5
69675567c1366ea5dd7fd802fe93df5e

SHA1
ab33d56208b197814dc73325bf8edb00f7ca45a1

SHA256
b085e90735ef327367cdf2f29fda02f1d81ede4b9b0f971bff199fa5135ce1b4

SHA512
c8e6e2fa5a955552863e3f5bcb638939be4ce4d653fc1fba17cfac9eae1cfe488595aa06ada23fc90cf94e4bd7e6ec76bbb4fbf01bb5e1168a5d41f73584b03d

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
192KB

MD5
a6eb135350cae26d5e0affe815d8a029

SHA1
6363c2718fede401e0224f7673b73e5175c0b73a

SHA256
5bfbb0ca4adeea48a9df0391abebe5a6eb4d54161763ebd20e3bce26d0f6570f

SHA512
18e8dcd4ea3583ae09af667e419fa48f1835eedc3087d593b6a1fbf093a83ca0786d67e8f34e5e1f6399f7ff3859708ec24461f614212a480184fde061914c8c

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
192KB

MD5
e728663d8997d0e337c6f466c7a165ec

SHA1
10c1095ceb545ba6dce9fc97b3e977e28447d0b4

SHA256
538ddac7cdb6f02b3aa52808bde6b0a52cb9a055e7d565942a7b682916072845

SHA512
c33c47b52a55071dcae9f2b34492f0cb590d7f8035cc43639d60063e7e8f4d8ffc66cfe80cbc5604e1ce213d6dd1e70dfc07e272fc1a19cc573e25d0585b8928

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
192KB

MD5
15d5041f0b5a72ed8f6a39349a901339

SHA1
12354c7d1fad04b6e7fd2343ee6ebd716118f865

SHA256
05fc429794aedc0916206d8f45d41f6039710cc2c0597337598dac87f57109c9

SHA512
b9bcd37dc5eba79044dbd5466176ac754c62fd249feccd80760140f0320585bc82e7aafaa8c089f8b0b9d4bf1a2d0211d073810d65742ea15e602c74fe0215ea

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
192KB

MD5
6e49126fd6db69a8d1529fef84ec25e1

SHA1
4bc466f4ec8bb0bb9c5fb1a6c3f782bb6a67de2a

SHA256
c510ee65c3165006bc0209167594ad62c3aa5091afe806d2fa963db11c9da157

SHA512
3f84eb0641ec198fade2c8b9672fe838db6d0d59b0e3002ef491e96d8b0355bd2aae66f10a070057afa1b264e71b3be491d0686864862660438cd084871953fa

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
192KB

MD5
c1f0f72543dc57e90f60f60cb41a714d

SHA1
4044d7d96cc04446a9b52a446e512cf6e9ee7d49

SHA256
c24e7f52b5355458c5324f7caa136afc96d957a03c7296da025192158e9fcb52

SHA512
786055402faddf71d1ee93f8a5704a4dc18a51604e3e5594ff4bb0a3055a84c8e8700b67653f6596cf3af1900df83c7860be0913b5c71397adb400d92799ec39

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
192KB

MD5
f384892480590bf36eb17aa1228b6029

SHA1
e4ba5f8e043699324240f76f161a84c339f7a083

SHA256
cc2c42d3329f9dc1a5b2e797c07db66ce07d1a820f9186180f81a12c2c5bf166

SHA512
c4499f17a4d3f04d1c34092d7e7897b8a210e1fd697607eb6105b703005493a58c2180f87580f595b521bc3829a96c602448df1403e3859f17b0e0bf7d228e17

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
192KB

MD5
e3cce8943a8acb8ae4e69717b26389cd

SHA1
36264bc00cc680189f89bff2b02f40aafb4bce89

SHA256
609776c16fee23569933ae00277467233bb02724135accab238cf669fd41da26

SHA512
073ecc809f8dc3cf1c58bdd058301ff1df589968af3a708262948154e4849dd0f1076e5485da13cf6607887fa693213ad7c52ebb219fc1c4d2b770165feedf94

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
192KB

MD5
d0fbaf1e97e1531f0d678f8e1a662309

SHA1
f55cb31c2f130b255f6e9cd92a5f7863666094d5

SHA256
e115a970039e533a45e2502ab7126f46eb32c94ee9a110070314f3d54c063391

SHA512
ecb20a12dd47e575a675a21713dfae3cfa9f510b1917ddfd01c7b35145d918474ff68aaba53f4ef7c688813330b5d81a297954e658e68457f098c798516e885c

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
192KB

MD5
3bd5ac956d559efd55c8d5f0a1664506

SHA1
6d7c4cbff34c4c1c8f73d608a96092dcf22c1573

SHA256
784bdf244760dfb46181e714a6427935e68939e5f84f0eba002da9e5bb5bff3e

SHA512
c0f165e532952799533e9de28efc38aa326d1be6b0c078a9a6e8d86856a65388c3d09f2ee7baa08dc79f07d85ee9048e4d239af7add41610d4e2629ccae7c23f

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
192KB

MD5
b5074db1651e1730fcc4a6de8556df87

SHA1
45f54e799ca68ef9dc52b830125b3f3210a00faa

SHA256
6dcc389141b3bb66d540112f2ebf727a00fa8a993123945f7419d6ffa5b6b437

SHA512
8ae780376d1909a16732536f514b1504f6957c184da42e28aa142f9506fb4dc495372667aa0b4254368d6aa2e9890fff80ad5e16a7f38e74c497d4164014634a

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
192KB

MD5
fe34e46566a40d07f706aff1886b115e

SHA1
14c589d067ee04a0ee38b830b7d2d793f2c38311

SHA256
c61736b3fd429e0c1facd5c137b9f31e43dfcfb1698c3bdb7a75d9d54611c5fc

SHA512
01e49f523d4eb020dcbfeb2ff1717d0923e475dbc918b6dbaa5c6aaaba97d0c2b6bb9397b34533a1bc3c95ef975251f0f1ede33be72af89f06fa0d32ff9275c8

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
192KB

MD5
c33e20555d5d060c7262ba8ea65b33f5

SHA1
5e11b16dc5dd37d6a2586aa791cab05e3bcf5c3e

SHA256
0ab67107f0b3de920cde012be0966d4d320fa597012de7fb83c0331c5caf7f08

SHA512
4cce1dc4de90b0c13be69233ba7459da61a6401b7a9bed14d1c929c428cae9dbb5365c145b7343c8790a7f4d2063360a01b5ab4dad4be88bbb172e09b24c1ad3

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
128KB

MD5
eb9bc80dd7e5a1381a6cabb4f6c0f094

SHA1
55eeb0962a0af267a5a03c85e8b4ae6cfec32f61

SHA256
11d3c6e9a67c7a4db3c0c9a331c97d5b493316adb90aa7e727b824b964752c4e

SHA512
589299ef7b63c92454c4301b9483220e219288fa277ce171fea0b6b2f0550378fc851fa4e01e1a391d44aa1faaa9a1517aba789dba623c24daa0c94ae7654f6b

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
192KB

MD5
85bca098eff81fb788536eb583cc3c3a

SHA1
d14a2f7a726b883fcb08dd35177d248540bb4819

SHA256
8bde9f88ef217a606b44f0d3a7af787b68da7af8927f5253fdc8d4120e2ababd

SHA512
a138d66f6ebeea08e35a52bc890e22f8ecec8e16a1e6a8e8f6829b4699c4fae77510fa5be7a7980c904c708a11ff4b62bb88c86fc85c31cad560b8a9b6a5f50f

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
192KB

MD5
483d78795e15794e954790ac506c8c1e

SHA1
b12e6f7a485759b68d7dd341eb122d6100ed696d

SHA256
c4e1bf25e84917318c3957c24e9967ca89c9438839f14cf7bc645357b4276fbd

SHA512
dd7a3d8b15a949607bbff7befae85f272c350e526c1d74d7710e6e444e656a4ca46060b177ad5ce90318a5c35c7bde1e4432d68a0ddac9b5714f0faba7690202

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
192KB

MD5
53d9500f0e1ab5a1fd30963cbbaae41a

SHA1
0d9a8067ac8190c1ed4bde438ef9c6f6db726d8d

SHA256
7098b9d966303ae2aeadfb11a842fb1365ae0636dd67185dab6c827ea0a3f638

SHA512
8c196f6b4f542a91859cd9aa4292111ff5fc079d4ba8de5c0f3cb34f7d33c5fc7edf009f51ae414dd169764371e22b56f5814d6177fd05119325b263b6acebe3

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
192KB

MD5
b6bdaaf4a63ea73ff8562ff7cf19b8b1

SHA1
f8107859af495d09166a09a856c000560831bbea

SHA256
afadaddbc179376619a5aabb0a05ad2454785a0ae1cd9c5b4bf5914801d0fd27

SHA512
560f38d53c91ea424098dcd3e1bc06c6c67131d77cf228c12a632f1fdf58b194d411383598fa19e6f44d98ed67b999d008e046759f35749416d133c0d42c3d5d

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
192KB

MD5
a217068d9a3438c758ae1bc9ebe7d142

SHA1
70451625c336571a5eb5c324e5231c2d9a5f7c85

SHA256
2400c6b2dba0aa59c491bf3e038051a0845404d41bf9bb60fbb7fd91f848c9a7

SHA512
b8faf3260ad4bb118de6aecd5343348ac323a90f4487dca5b3584ef0e064583c8697fbbd30de07439a8ebcb45b956b764bb53a145ba46e3261a1e2d6b92e591a

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
192KB

MD5
fa0f96f4c0e1439bb91a7fbdca8bb168

SHA1
d660652ce07aaf51bfdbe7a17de71e1543c6d316

SHA256
e7fac0c855c2743725604db400ab9a9190378ac5310dec5a0525b78e599ecaf7

SHA512
c92ce48c5fd4e8fc379b3e51d4b8cb76be181f75f6a4d32300cbdefe7d5f8ce4a7343e685f655669353820cb7ca97bdc78207e424c9bf00509bf8378f4810530

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
192KB

MD5
381fdf0ccda56f23623c6c2d551017bb

SHA1
ca74a88f125c7cd6ea3909d4c219ba9fe7ebd539

SHA256
d5a5652af11efc30d8ee0902c38a5acfad34db11e18132ac3c2f0817ffd8433e

SHA512
4b10b1c86aa197e6c33098f0b9ea07200159cc47c836886f48aa13dec97f7119dc4a98c3d7f9070c04f036838e4199e12de8ae2a3f017341e06ae3f73789afb3

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
192KB

MD5
0912424fd56f9db46c2741ba35229533

SHA1
935b3dc8619b324b6d4035c1a592466450cd8787

SHA256
3bbf1d02cd98c5fd60f23ccb1ad52ea9937f664b6846b51caf6768769835d6d3

SHA512
d7d481e77a0a52ae94f6656d879365707d45e5b85a0e1150cf193e3ddce82e0facefa7b769ced3464ac4496dfcae7bc33b1984329707a11aad1fea70881f9c83

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
192KB

MD5
3b0334ffbf9396d542381ee1d9762a5a

SHA1
4532b26e070396dec2c842764a36452f937e04b3

SHA256
0c5a4e0c21f506b68db540e90a85f984a33aa353ac1ee7452228ac132bd898cf

SHA512
23bb53aaaa3eb04644ea7f1af3fecbcfc1135e95a8246ea0d117f6b76d8389e9062c6bdfca16d620379c892fc7d2073eb073bb08fe42d418a17fb8d7a47ec761

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
192KB

MD5
85829fa8bd8ba894e84aedb646ce7915

SHA1
87fc5d880de24b02e5da15a197a1f41a48f14279

SHA256
9200b6bc8d51dca4d38adc20940d82e9e9523f078f452f611d8470a527aba7ed

SHA512
a150fbf6aa226dc1d6c7a93a8422417dd9ee28a9cf2a4c737dfc932c37477fa0437ea1cece743026f9251eabb37f643c588cf528b84f0893bc6ff11650a5c1d7

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
192KB

MD5
1020b561be86798b8acd9aba47d26a43

SHA1
7802bbdcaf1f079c71f0ecf1d9c07c295e543aea

SHA256
c723c2b8aa7394b4fb51a8e8b11fbf405079985dbab548fb034efb057928a19d

SHA512
568f6e804b5248db62de1388612780f10ef9ae9d19ea3e0c2a38a804f9eb586ace563c36cdc3ddd97c6015015c0bb03e7037af3630c9f098187fa49a5072af03

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
192KB

MD5
0534d6c77272ffd8bec69adae854ab4d

SHA1
9aa431058178eabb515ae8e4a1b28d7a8b87f92e

SHA256
3a20df9d3c4dd73542bc87128375714f1abda4d3e0e20639726ab48ffffab979

SHA512
a38cc2ffcb3c95992f585770a7b8bcbf2a02dd68183988f83bfd936f9760d4feb4e2b3a388a39974915735f127002a713ce0d5a7dfcfaefb5a618263472bf2a2

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
192KB

MD5
4ff8edaf9a374a55764748f5c2406d5c

SHA1
4919e7cada1f38738ea3d3093ea4f0c99fffa7ca

SHA256
01731a9c09370803c0c4565c27f54613d145c8bf9cf2e5470e531c9938710db9

SHA512
eb8415041f48e3a4601d5de888765e120b37b8ac12accaaf905b2e57339d1bf61532f62dbc2d9c3f79946260a119730628c0ec52880be78808e44772e6ffb941

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
192KB

MD5
c39bd342742d9d6ee7dbab1065454c88

SHA1
d9726a17d590e3f2f6dd1eaf3cbfeea43f7252e6

SHA256
fcad08c446e7522e4d418c036bad96b13fc266c357b7ba1637b592f887812724

SHA512
c2dfd5c11f29cdc4c774ca471542304ac4532b9e84b6f0a1d1380af7d1d1c91074f3e30cd8c322f05822699cbdd3674536b0669041c7a2303bcd9cfabe628118

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
192KB

MD5
253cd283376a2351a3947407b542d113

SHA1
223b833486a21b1ae301e1b126bcde0b369f8fed

SHA256
9b703211be4dbe29a6521eceb539d875cc9904370338fc947f5214d2b5ba860a

SHA512
66067302583d301c20d56b0f18b41b6c9714a173876c89cbb847051538cbd7c3ba0c2f77c2c15e37cfde3b4ee743bf5fb62c4ea91f743e78d2a884eac9dc12b9

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
192KB

MD5
b0c56191f15f209037a22484321879dd

SHA1
e34eeba046a9232c94d169e6463160e1726667dd

SHA256
4d6d5cd0cbb1dd2ee5ebb9ac5566ce7f87cbe72f99eb0a6617d46b80533c67e9

SHA512
2676a363b6d7fd4b01518b0915f0cf0d698abf71200741fd8b1e04aed9c6800e0f4307f82fa17f0abb4bd6f9673fc61b1ff51fa1e7bffdd7643c3e5ade848303

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
192KB

MD5
32b71c81516f58881650c483bd5d4f77

SHA1
e528d8a1b480c9913eb6b079690b47e855afbd8a

SHA256
261644af15e270f48f1c3b7babd5cfc12e21533f0e58f2b798ecf8799e258458

SHA512
5a8177517016f03e37b2642f78450ff2c66bbd26c1d493b49fb1576865f17df364764768bf5e88ec58b02acf219ecb558abe925f8bbba0cf41c4b51ba5624b4f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
192KB

MD5
8d1979f30d6f0cbece45f4c6e011e85c

SHA1
2e1c982a9c41501230e79aea4684be263cc0ba90

SHA256
09ac40a3228744d8b393c379a0af4bff04e60f9368bb6e3a7c388615c2f371e2

SHA512
8f230ad7f2da6c2e139a5f97e53970f8258605eff6da93eaca5ddf3ace4427ac8b9bd43a582ba9a64e90dec6ed5b7bdad610f9be7817197cfe649785855d1843

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
192KB

MD5
75a07b9208242cb1f4c34f5e87d45e87

SHA1
e7ee00cb5b3c33180b75a7b3eeec96e83eb810c4

SHA256
014cfd1a0d57b0e2d83fe16c1ea1a7787553f7fc50b14768f3e80bf4f0e712a9

SHA512
72ab4c6b0ec77e9828c79b2f3e4839a0c005f58c4ba47ce8d8e1820aab3628991b7345ecb38e8704e2b48ec34003b8d8c94d653b3fea49d87c8c67b48437c5ca

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
192KB

MD5
53478c103ec7d39c06895a9c18fe4b69

SHA1
f7d1a678f0ca64f32cade90ea1d6c02ff76996bf

SHA256
d82c09417e0118d158fa5796162b5d6d0b1441ca902bc29cf436354f987e386d

SHA512
2a2c323a49c91baa837b873b1d83d6f298b8805180d77f257972199d6f664ccbc148a9da30823d83b43e907fac81ab636e8f9060ad83daacb763153f04b35aee

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
192KB

MD5
8a96ca7cd9bae83a97933a4216dadf31

SHA1
81a03172530cb3a2f5ce42507ccadb480b3a6dce

SHA256
bce937cb5dccf50fa4e194581a07a34d35f54be052411f4fae72157deccc3b69

SHA512
603074268226e7dd6710d76cb6048621401b836deb7f2b2fc8107feec06e1ddceaba4799ed2fcb9b59fba89ef6eb814ffccb05fe0b271fd461c05aa4bacbb89d

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
64KB

MD5
af1c4f97ad4a29950c55875eb872174b

SHA1
45952a370fc850a0b55a6ba765d3eaf8d2e06f6a

SHA256
acbabcd50885208a47f7c35af5fc082bdb6cbe641cfc1346cf6c6a6e6ef089ea

SHA512
97cf3a50b3f838403287adb50db5de8acdf0abf0eb02d5297d4a48915c18b28c82967bac17a960e114386d33d432d2d7969f661f49a485c7faf5ec4b09a7a9fe

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
192KB

MD5
3a42267752644b64ab494d6a212ff714

SHA1
5bbd7fb7e68dff2705853b7e73d75528a9a0fd59

SHA256
30bafa132c84bb2924cfad8f193d9f8c383c3c53313e8d0b8e0c593563d19005

SHA512
521215b5c2cec95f4507c9fa0828a933c5f57576eded10035af2523b4af69268c8af953fcc184ce12f8b46d03b7e98610a6d83d18cc5be90bb9919ebb99c3428

Download Submit
memory/400-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/672-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/784-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-991-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4356-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5448-944-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads