6c9139a2d6db4f813b9f16a50d34d4af99d2deb23d6e494c021d3973d76223e4

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 03:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe
Size

96KB
MD5

6cd018b81a2c27ededd7ac4675b26280
SHA1

d8ec59cce6556e4f76d152d178f538083cb382ed
SHA256

6c9139a2d6db4f813b9f16a50d34d4af99d2deb23d6e494c021d3973d76223e4
SHA512

0c5f0f7847841bcf282f753321186c5a89c27ac394e549c16d69ede05f659d67f1d47cd0fe707b3fdc211fafa884cbc8e0375b0cde41608b713cf24a34b4d4b1
SSDEEP

3072:SmGFbiV2d4wxAGRZb4IoYrzXOnRNd69jc0v:5mbvKwxlRZb1oYr7iRNd6NV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe

Executes dropped EXE 64 IoCs

pid	Process
3148	Hcqjfh32.exe
4380	Hfofbd32.exe
3056	Hjjbcbqj.exe
540	Hpgkkioa.exe
2168	Hbeghene.exe
5644	Hjmoibog.exe
2912	Haggelfd.exe
5228	Hcedaheh.exe
5064	Hfcpncdk.exe
4560	Hibljoco.exe
5412	Ipldfi32.exe
4784	Ijaida32.exe
2200	Impepm32.exe
2512	Ipnalhii.exe
3992	Ifhiib32.exe
2276	Iiffen32.exe
5588	Iannfk32.exe
1604	Ibojncfj.exe
3936	Ijfboafl.exe
2104	Iapjlk32.exe
2376	Ibagcc32.exe
3540	Ijhodq32.exe
2240	Imgkql32.exe
4976	Idacmfkj.exe
4100	Ifopiajn.exe
3708	Iinlemia.exe
4548	Jpgdbg32.exe
4564	Jbfpobpb.exe
6112	Jjmhppqd.exe
1300	Jmkdlkph.exe
4536	Jbhmdbnp.exe
4656	Jmnaakne.exe
4088	Jplmmfmi.exe
4188	Jbkjjblm.exe
2024	Jjbako32.exe
5356	Jmpngk32.exe
5336	Jpojcf32.exe
1052	Jdjfcecp.exe
6064	Jfhbppbc.exe
5760	Jigollag.exe
6092	Jmbklj32.exe
4956	Jpaghf32.exe
3208	Jfkoeppq.exe
2424	Jkfkfohj.exe
3184	Kmegbjgn.exe
4748	Kaqcbi32.exe
5112	Kbapjafe.exe
3452	Kkihknfg.exe
2092	Kmgdgjek.exe
5072	Kpepcedo.exe
1020	Kdaldd32.exe
4316	Kgphpo32.exe
3332	Kinemkko.exe
4432	Kaemnhla.exe
1560	Kphmie32.exe
4716	Kbfiep32.exe
4064	Kgbefoji.exe
5796	Kipabjil.exe
5984	Kagichjo.exe
2224	Kpjjod32.exe
5840	Kcifkp32.exe
4852	Kkpnlm32.exe
4804	Kmnjhioc.exe
3600	Kdhbec32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3828	1756	WerFault.exe	220

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 3148	624	6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe	83
PID 624 wrote to memory of 3148	624	6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe	83
PID 624 wrote to memory of 3148	624	6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe	83
PID 3148 wrote to memory of 4380	3148	Hcqjfh32.exe	84
PID 3148 wrote to memory of 4380	3148	Hcqjfh32.exe	84
PID 3148 wrote to memory of 4380	3148	Hcqjfh32.exe	84
PID 4380 wrote to memory of 3056	4380	Hfofbd32.exe	85
PID 4380 wrote to memory of 3056	4380	Hfofbd32.exe	85
PID 4380 wrote to memory of 3056	4380	Hfofbd32.exe	85
PID 3056 wrote to memory of 540	3056	Hjjbcbqj.exe	86
PID 3056 wrote to memory of 540	3056	Hjjbcbqj.exe	86
PID 3056 wrote to memory of 540	3056	Hjjbcbqj.exe	86
PID 540 wrote to memory of 2168	540	Hpgkkioa.exe	87
PID 540 wrote to memory of 2168	540	Hpgkkioa.exe	87
PID 540 wrote to memory of 2168	540	Hpgkkioa.exe	87
PID 2168 wrote to memory of 5644	2168	Hbeghene.exe	88
PID 2168 wrote to memory of 5644	2168	Hbeghene.exe	88
PID 2168 wrote to memory of 5644	2168	Hbeghene.exe	88
PID 5644 wrote to memory of 2912	5644	Hjmoibog.exe	89
PID 5644 wrote to memory of 2912	5644	Hjmoibog.exe	89
PID 5644 wrote to memory of 2912	5644	Hjmoibog.exe	89
PID 2912 wrote to memory of 5228	2912	Haggelfd.exe	90
PID 2912 wrote to memory of 5228	2912	Haggelfd.exe	90
PID 2912 wrote to memory of 5228	2912	Haggelfd.exe	90
PID 5228 wrote to memory of 5064	5228	Hcedaheh.exe	91
PID 5228 wrote to memory of 5064	5228	Hcedaheh.exe	91
PID 5228 wrote to memory of 5064	5228	Hcedaheh.exe	91
PID 5064 wrote to memory of 4560	5064	Hfcpncdk.exe	92
PID 5064 wrote to memory of 4560	5064	Hfcpncdk.exe	92
PID 5064 wrote to memory of 4560	5064	Hfcpncdk.exe	92
PID 4560 wrote to memory of 5412	4560	Hibljoco.exe	93
PID 4560 wrote to memory of 5412	4560	Hibljoco.exe	93
PID 4560 wrote to memory of 5412	4560	Hibljoco.exe	93
PID 5412 wrote to memory of 4784	5412	Ipldfi32.exe	94
PID 5412 wrote to memory of 4784	5412	Ipldfi32.exe	94
PID 5412 wrote to memory of 4784	5412	Ipldfi32.exe	94
PID 4784 wrote to memory of 2200	4784	Ijaida32.exe	95
PID 4784 wrote to memory of 2200	4784	Ijaida32.exe	95
PID 4784 wrote to memory of 2200	4784	Ijaida32.exe	95
PID 2200 wrote to memory of 2512	2200	Impepm32.exe	96
PID 2200 wrote to memory of 2512	2200	Impepm32.exe	96
PID 2200 wrote to memory of 2512	2200	Impepm32.exe	96
PID 2512 wrote to memory of 3992	2512	Ipnalhii.exe	97
PID 2512 wrote to memory of 3992	2512	Ipnalhii.exe	97
PID 2512 wrote to memory of 3992	2512	Ipnalhii.exe	97
PID 3992 wrote to memory of 2276	3992	Ifhiib32.exe	98
PID 3992 wrote to memory of 2276	3992	Ifhiib32.exe	98
PID 3992 wrote to memory of 2276	3992	Ifhiib32.exe	98
PID 2276 wrote to memory of 5588	2276	Iiffen32.exe	99
PID 2276 wrote to memory of 5588	2276	Iiffen32.exe	99
PID 2276 wrote to memory of 5588	2276	Iiffen32.exe	99
PID 5588 wrote to memory of 1604	5588	Iannfk32.exe	100
PID 5588 wrote to memory of 1604	5588	Iannfk32.exe	100
PID 5588 wrote to memory of 1604	5588	Iannfk32.exe	100
PID 1604 wrote to memory of 3936	1604	Ibojncfj.exe	101
PID 1604 wrote to memory of 3936	1604	Ibojncfj.exe	101
PID 1604 wrote to memory of 3936	1604	Ibojncfj.exe	101
PID 3936 wrote to memory of 2104	3936	Ijfboafl.exe	102
PID 3936 wrote to memory of 2104	3936	Ijfboafl.exe	102
PID 3936 wrote to memory of 2104	3936	Ijfboafl.exe	102
PID 2104 wrote to memory of 2376	2104	Iapjlk32.exe	103
PID 2104 wrote to memory of 2376	2104	Iapjlk32.exe	103
PID 2104 wrote to memory of 2376	2104	Iapjlk32.exe	103
PID 2376 wrote to memory of 3540	2376	Ibagcc32.exe	104

C:\Users\Admin\AppData\Local\Temp\6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cd018b81a2c27ededd7ac4675b26280_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\Hcqjfh32.exe
  C:\Windows\system32\Hcqjfh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\Hfofbd32.exe
    C:\Windows\system32\Hfofbd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\Hjjbcbqj.exe
      C:\Windows\system32\Hjjbcbqj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5644
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5228
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5588
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        23⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        28⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        32⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        34⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        38⤵
        Executes dropped EXE
        
        PID:5336
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        46⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        50⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        56⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        57⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        60⤵
        Executes dropped EXE
        
        PID:5984
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        66⤵
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        67⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        70⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        71⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        75⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        76⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2028
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        78⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        81⤵
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        83⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        84⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        85⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        86⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        90⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:828
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        92⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        94⤵
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        95⤵
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        96⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4476
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        100⤵
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        101⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        102⤵
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        104⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        106⤵
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        107⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        111⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        112⤵
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        115⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        117⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        122⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        123⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2640
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        125⤵
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        130⤵
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        131⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        132⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        133⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        135⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 432
        137⤵
        Program crash
        
        PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1756 -ip 1756
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haggelfd.exe

Filesize
96KB

MD5
d61b37e5b3e115b721278157add43b76

SHA1
c63e4aa024bf93fc1371dacaf9b7bf37484cff73

SHA256
8c918c6c4a4c58032550fe85a0251d70becbe1893d8d85269780028d82cf3200

SHA512
8b5c896309aef191121e0e02218e667d18b042eceb386085cd3b6a7296eed9eb90c829cd9b6498d8ab076d4c74e69dc3e5be86b2ea780e42184ef1e02f5a9f9b

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
96KB

MD5
2f564acb95fb23d04fc9964fa4fb3d32

SHA1
0a4aae39f7ea37bed92dabd129f68897371f73e7

SHA256
354d17fd76d49e0da869c076a798523ce3f8d7499866f1db93e0125f77b9e84b

SHA512
f52648bb6f98c909b280b9095d3dbce070e830e0a53cb87cdf42c10384c4739852cb5787d3a59b6da3f5eb061161386bfffe1d33a34a01a364c29e05760d4f04

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
96KB

MD5
ef9734f9a34c014510699ebd12059cca

SHA1
9d631bef9b77db851a12a35098374ac6aff29f54

SHA256
3d58a55029dfa0c68b9d26f9bb3fa6a2c1ffee6f7419aa43f6dc7d4acdde0355

SHA512
146f5dccf664ab212e612cdbca170da3c2eac373205649ea21d1efe855e6f3fb0b87113b31775236774b5abca62f97cb1fffb169093570d6d37dfdce910cf8a7

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
96KB

MD5
e4a83769e5737f75ad91f3008e725e5d

SHA1
b1b71ef8bfc7267aa028266b397748d2629b6049

SHA256
7f076af51ba9117f686f69948f27b1b00de04d932214601f41aef32742af41f8

SHA512
04679ae2ee34fcd40d4db11a6ae8131e480a43dc835b76d6bd0f64caa7cf525d07a847bdee0127a58fb3666450542476a0c9917fbd028ec3baa3208431dc41dd

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
96KB

MD5
7d7be37d3783ebe6373e5033c67c6f38

SHA1
d45eb81f70a66770a64fad071c494e9e0a91c1d8

SHA256
b58c4f6e59970ea929e36765079f53cb3c0dd97254b3b566131786c7b0aa3612

SHA512
f7ad7c0137e23233333a375c814f1b4ac58643e7490b6424bad4f28948b305817152b85789feaf18ed385b8bfa9e63b3255d4fdcb4b4da486a4b8e2abf4541f4

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
96KB

MD5
f2b183c352c18a66a913938ce4a8974a

SHA1
00819b0a4c32152412a2bd512d4b205848d6edc5

SHA256
f462047c55ec4097aea595334c4bb09fc8ed072943ea2ff5556382f7bed6f318

SHA512
7916609e8fde50dd7390760856aa679f470727be76aa5a0ab26c90a8e27b4b1ad48b42ee390fb7424a3fbdaec8f56b5432ee36bb7b4804a0a96722464e51bf00

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
96KB

MD5
e454a9ca4c004aa10c6ab1e0dd30b251

SHA1
39d45d214ab95276c180e31a048d0906a7583d28

SHA256
0992fc8a28349f3ca7be1bf9642d6f55498d6744e76e57c4826c0b4e80be1e29

SHA512
17b244e613d10ad65118db47e3b3c7f1e96144634236c37c4c04eb06cfe67dec7063e493ddfdada8af78dd9225bed834cc6a558fbb14a59630f6c28a46698faa

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
96KB

MD5
fcaca597534a4aff79c19dcb1cedffe6

SHA1
f50afa203f1c5de665a3a4252e84015a6008b666

SHA256
21e34746b2bca624758c80e86511eb36d5c9f752a0acbce4b294472914331737

SHA512
5d290dbc902c6fa826e35a6faa05da61bf3147667aa212f82dceb74e65c262c36797eaed4062013362f2ce8dc383d989477ed4df9a0f2dc63cf05e584591c437

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
96KB

MD5
887578d547974af318f0c69bab50f578

SHA1
fcb5739b2a0550c7534c09bdb6fa5e2a64e7685d

SHA256
7c820fa69aa51ec60914f8ebe4f1372f0e57446d7f05d3419b92a5b116374195

SHA512
77c619d4ce5895ac9230ee707683b98db9bb9b89164556b922c961f7b616fa93e2fe62bfd928f67fc73b424328ef92d36cfc3e0bc0c128c17ffd2ff236869ed1

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
96KB

MD5
1e559dab04a21ec9acb2586114e2b06c

SHA1
de74090b5a67721224d5b1eab29bc46f4eac911f

SHA256
a0a997b43a14e7d70697675c36b3dc8bde553b07f6c019f69501d5d4c4f4cee0

SHA512
d7af44bc105119245570068cfe296cf9152176b56bc141844a3ebdf5d563e470d1bf006f7fc926c8670d8d68333f027d7d7892d1a840d96c4df289e9b2a0c06e

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
96KB

MD5
3f056533ae011ba5432fe54b381d9699

SHA1
265db96768010e4ce6c38e9689e016f151454a52

SHA256
ac292621c9f7cff2a7ece4c525b840534ddde3f310cb751b4640e18ba46b8d89

SHA512
280771bda784755ef75f5442533c1a8888b4c81dc6430f1a9140a99188a7c7867702282810b4f152dbf8111b73df8ce747fa9bc746a5a30cc6fc9511c0e88ecb

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
96KB

MD5
3e82ac04c1b3c84e40d07c62900cab3c

SHA1
989875508d078bfc5524f6fd319282f154f270e8

SHA256
77fa21045597a48cf2bed3b07fff3d7edfc0875654086516546657fbd366fdc1

SHA512
45ec8f9392d65cda42432e6e38f1edada0d4b218bb91eb1e29ee9536365904d938b12f3e4c245741b2f987d2047caa02eada8c6b351931d65cf80349d96aa5ce

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
96KB

MD5
300bfab17c08a4c186fdc116942b9bf3

SHA1
1a3f33d43a66bbe6d9da743a82658b9b441101a0

SHA256
193fa3357e8555e1affae90356d4c29c3b824295ef2abf799df2edeb9b7dc292

SHA512
8c96d03bbbf7a41340a8144516846c8ecb7f2420e185e75e3b82c73dcef827d75fe82dbe0f853580ae7b470fb0442df19e39b01abcc68d15574ea7109787670f

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
96KB

MD5
ae4c08a74ce023b51dbd83d821e0cc90

SHA1
d4acab98ba556f994c969ea17722e7a35d26121c

SHA256
4d53d1d4ffb3cc435c5ccc1b0b77caefb630fa6d883eea611732935bbdb31a1b

SHA512
48f33d1d59cdba16390e6ac5c7856837acc3a8566791ac5c75202a2746cb9ce73de4c575d869d1d796b5622378d1f1d642b34b0dd3701e2d182cefbdbeda2ca0

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
96KB

MD5
8c9f47dfb9dafc5bdd4bf0af4e2d35ee

SHA1
30b4e8aeb2586056bd31c55aad4ce9be2b2e4d64

SHA256
8cfe5bbe1c7bb04039054843d23dba54230b1410b822ef938b54ce2cacb16907

SHA512
a1d493fc88b7d9a64737515c48ff5297f6340da4f9143f7f26552d007c015a4ff8e7d3d5677f389d516b9ec9bcde93417d1ae623c97509bb25ec683aafbd5b9a

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
96KB

MD5
03d027607f8fb7785d1b50afd33cdb83

SHA1
fb5d62d80b5c471d8b517a30989368adfb764705

SHA256
5a65b44191ee3c5cedcb6a818c03dacdc99f0cbccfc01a98bdd703d18369b6c0

SHA512
e5ba70d5531d78c455c3cef28757aa92f6d6580edc674e5e2e29e379198da078c991bd8c5fcae68ea4f1af8897f748d16879ffe15b3b6a995cfa177c59c6b212

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
96KB

MD5
9008784a6d5e865c24904f060a4b5b52

SHA1
408e15bc440559ccc5832d842a12f0011927066d

SHA256
d19805fe7ec2ebfc2d61f1755cdc68034991890461e68563a7917f453fed9470

SHA512
582a1510706af661503f50a73ece5e8f2678149f42361b0bef251294343edace0fcfdd025356a76f1f6c2c90d7f915790288e195c412e549b7cddd910e146fce

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
96KB

MD5
50bdb27ce063a8cb219afa87afc61a5d

SHA1
c6e2ded01bffc6939509cf06b31a677b7d8e7d3e

SHA256
7257c5865a087ef7fbe523f0cc1dff84f61633808ea903221a0d2826e07d48ce

SHA512
45a1ea7bff4f62e3b54a954b0f62ac631fdcf06d9d3a1373755a6bc5c776f7c438eab233b84455027dd77218d4eb2e8bcfa45241ccc98e5def45ef6de7de4f84

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
96KB

MD5
9cb5be0074f260b6c243302dab92860e

SHA1
69dcbee865f99cf922f01f2124d846c80b0e8884

SHA256
3c117edff942b44bde91fcdd298ac03ca056a3f30f04baab825317e382f79534

SHA512
208256489f9dfcc75a100243a3b63ad11f016550ee9667c0a7f1ab219e2e5f145f9eb956dd8e74c1cf474c6cb756d055b3e93f5ea908957d90553f5acd93de60

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
96KB

MD5
211bb491163347e1b140def056f794c1

SHA1
2705f46feccba9c010d93d2c710fced8d6feec99

SHA256
a33836f9f01c7298371682ec0dc383caf9398d05be1b459e6ae35767973a4cad

SHA512
4013373ec78fa1e89dfc2bc2bbf5e1e41e1e701220f353e563d716d5b4757b58969fff0e27505f889552b492122ba4839fa99959d86b15029fd17dceffb08faa

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
96KB

MD5
1edadabf4c1bb933402d234c772c549a

SHA1
5a9c7d004c75f34f25b81e45622cd47f0556d25b

SHA256
2d629e6d1bfadd99bd0c27c390a3b157dc4272dcdf0501a6191e764668f5f9d6

SHA512
160fc2377f98ebe35a957092f8d12228090feef2a47d0d4336237dc7cf398f1dd0edb7535928addb59d57b3e2a28756d614016e3a5ea31b7b37f964b61e5e5f1

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
96KB

MD5
813c7b8f3732acd35dd50e68fbf5e09e

SHA1
2492d67a606fcad8731c7b642e762b7cdcc37aff

SHA256
fd2119f7adaae8499eeda7b117d08d777ce418a5bdde1eb07e75ae324079fbec

SHA512
7d9b047f378936dbf120833dec47e40ca38c7628d6dbd6796f70bc378aba1b6f828edfe6c0908541a8b8f6c7c61f30d2f997d699882e67993afcbbed5880cfaf

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
96KB

MD5
b6679ff54937e29b3baf2b231bfb5667

SHA1
ee6d2f2a53b314b51397a49da0bf05813447cffd

SHA256
d74a6b8f3fa04a9b90c97f136f5e70faee37a46cb9a9c1064e6b64ab3082a4d3

SHA512
de1ceebbfd200f7947053c6597bc0c30328a9dfd7407be2871816755669876724f36a9ca2d3e967c862bee93180d19b3cb6e67130cfd337f56bc8bf45c14b17d

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
96KB

MD5
92e117ca3ec26beaf0f4e8da2a23bb08

SHA1
6e598f1673fc85a3e6c6dfa4737d221b7a00a537

SHA256
843fec8613d657cb611649dcefd679e671dea64e26cbb39fe8bf1c61f9aefd9c

SHA512
e3b1299ce46c458b22c243d8fe97a0d7a16c67d81fadfd39cd68d1cec3cfcfa39465bf3e30627a9402cfecc286f5745b7fbef23c032ea8e927fa8aa5e9564294

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
96KB

MD5
2fe07f4771309d9fef46b1b9bdde5b66

SHA1
6a817e2c3e17b3917dc666b815120413a50def74

SHA256
bb96c1d40f30a091dffae63151911a18fd1a121a417ed456d6ae0478d145ebba

SHA512
6794ec289b489fb8beedb21bf0e4de682c347a9cf87d70dfbf4d99dcd6cc26bee0ab66e6c93c472791be77e65ac27220520c647328c549649240a6c27b9cbd15

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
96KB

MD5
3a52a2c7c47e1cb683ea5d08ca93ea8a

SHA1
ed58d4eed96c9d3e357dd9ae16e34f18b6f4f571

SHA256
d0e3ccac5f2bada8d7c314264d46efef9301c5ad225e64d34cc39956b070b37b

SHA512
3c84c89fadc9a4c55066845a83b2653442c94a00d2893961394ef2c395caf12675146ebe78a5f29afbe4b5e4693f949c7ab3b1dbf980d33a660702dd10078e5a

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
96KB

MD5
76d6a44b4a744ddc533e2086b0c36055

SHA1
d2254cf850c49a9618097c882dd38ef0922039ce

SHA256
8bd1f97c412820844b77c6d366c1a15efc2e6afe45ac2ad9b19db5af1eb51cb4

SHA512
a2abe0ab7e9fe6166802916d2c4cfea2a064451c846555be6969baaf3dc462fe142db3b769b268d45c9fdd322c5f6273080765b135359f74d230190d8df8cc60

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
96KB

MD5
8d6af38628a9a26f2cb1c9bea7fcc0a7

SHA1
af95475b1e1c90e7e7ba5ef7cd944ec77a46fd9a

SHA256
30437ef015f73f566c3a0755843002c1047665a6c7a468b52441baf6aaaba36c

SHA512
b14530a1f853c6d1cbacf710494621c09a22f3316a993057be00454a944ee584990949d984deb1f0041eca4dd3374126f6f8af40a6f1abeb71a2d491e73f5d84

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
96KB

MD5
62e62b5ef84a089a6c8c90fa998984e9

SHA1
c720dd8954ea675d3c5bd666a2a954b8778b0f92

SHA256
ca31e1c7337aff1d5f42b4c1abf14df3c4e4fe1380f6f0eaada77d71bd422c07

SHA512
d1e44a23ad0105d87d559180eba2a04ca84c4e4204f5f1b37a135f892423b25fd636cd5ddd804d7823aef81cebbeb665c656bdfc9cb876e5a0633bc28b89a8fe

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
96KB

MD5
c8e099ffcc50c223e991da4babb30214

SHA1
43435afeaa5067a62bb13e844e783b1e291c98fa

SHA256
e8b64f0c0c46252b768f75d3153e9a7c8335f1d15c3bbfc711c4dd318dfc8516

SHA512
fcd30a527a310f533e61bc33fe7d1da3a3e21e8155125f8f07272d9d2dd14f2ad9a1a17f268ee989993c7d2cf4e0f4d96f428de11284b605c50b78de2f9ededd

Download Submit
C:\Windows\SysWOW64\Jjcfkp32.dll

Filesize
7KB

MD5
e113d987b6816734e2818c4219955c1a

SHA1
bdebe83f046aae114699bed909d337aab4c55a02

SHA256
d27535eea65d9b256e82abe716652c389874358aef843e1b880218cb2ca0a362

SHA512
8ceb36498c1af079d76e071c82bbffea2639fbfb4bf77836ae41e1a7d840037b4f7e0f24d7bc859679eb480e28ff1da53e01e5115167f9d60126bc8bbef6c69b

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
96KB

MD5
2b16801a0c88c9ddbadefebede9a631c

SHA1
008421011cb52f1a501932923053d647d23e11a8

SHA256
e1c1fdd0c83e0ddddb0105c530fd161c7dc6b319c8169fa91f6545fcb91d1c32

SHA512
d4b71357673ecf2aef6ff06f99332983408ecb70eb92fcf37d227d0f59abc5e104a86fd0c88c082eb792607d147cd8882704066618a243545ee8763dff8d888f

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
96KB

MD5
282865eef01bc113eee3af34fa77d681

SHA1
46432298a8d772c717e2c6705a2a950532594cab

SHA256
f35c594ba4712f6d061cc841216650791fb4924ff2af2223743d42387822299e

SHA512
270671cb76527a4077e1fa537185ba64bb573abed0ee1713740f67fbe4b444de4263b3e9401da5502606dd0ca2fb476d1dd2af01d681e27e7f68dc56a305d1e6

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
96KB

MD5
f434ebc15bde35314d3a56aa5c2c1368

SHA1
2bb54b732a858855e45ed7dca3cbf5fd34928d26

SHA256
3941317b832d9dc3233b07549ad4f74ae5f4c9b1a8cf36debd5b14d1bcc8e116

SHA512
26f246f88a96d33b71460932b1eed1cb9db0be7bb040cafe07f034dd8638a42a509a2ad7e510551419f510ae272311adb8fe9bb87fbd4b97f430fc1853e38e9e

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
96KB

MD5
69853fa04353d8a53ef3424a7f9a917f

SHA1
ee8af750a85af8991cf3cba0506f4f81ac8110d4

SHA256
2d6eecf3797325a68c2eab70cf86bef06230a0bf412c550598006bd68fef17db

SHA512
d2b6afee9365c8b26125fa8b4497cb141a1764c17c96cb7e25767538877775ced4f6e4a8d8488f0cca6f1d0c0e6913e55b9f0faf0b0f23024aad5d7604185617

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
96KB

MD5
a58b59269bd428c7a3c9a81066d6a533

SHA1
f6fe1e2c1b6d9f2657e350554205b28d914aa3cf

SHA256
594c36629008bfedc975e4b1ab5447e9153ee5951c955a7381e96930170b1b0a

SHA512
0d190ae48bf93343b4de3dea6bc15332136a6345080ec2fa750255a4eb14fd8bb9f4e9aa72165311eb3999b9c2f90c752a586b62ef6a6a1cd5c2f586b2d4229a

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
96KB

MD5
12bdbf0141e4da305164d809cb62fbba

SHA1
f231817068210f6e258cf77c1cd12e3e40515905

SHA256
a88fd5e60dcad0546a3a561a10b0c3b0ff0f0a79da230db98fd4890cae2a4419

SHA512
d3b1b16ebc92fc417074793c24d6f5f1db001c52905bc785f6604827eca9415e045cf259802a4a4fc261abd6b9f4253093f3bf322617d9b367ba8c766c6131a3

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
96KB

MD5
f9703e4a51f7e8affa4d2e8aa5415203

SHA1
b698c189d8b045a852fad77b2760cfc26eca39b7

SHA256
229476cbb87cbe42a8bda904b6d4bc0fb313dad1a673d34601fef2338c201559

SHA512
7ba3c4d67fc517949707869c293732bcc0d45b0e150f4e333e514403021d65fa7450204aa0db5b18e87bf1b5e27afca9a86c248fbddca8fe1205cd7e688279c0

Download Submit
memory/212-601-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-581-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-554-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/736-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1052-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1300-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1560-403-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1796-556-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2024-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2092-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-562-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-584-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2276-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-608-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-574-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3148-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3148-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3184-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3208-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3332-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3452-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3492-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3540-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3600-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-536-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3660-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3884-516-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3916-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3936-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3992-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4064-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4084-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4100-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4188-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4316-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4536-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4548-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4560-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4716-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4784-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-530-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4976-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5112-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5140-602-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5180-568-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5184-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5228-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5336-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5348-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5356-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5380-542-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5396-583-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5412-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5576-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5588-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5640-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5644-596-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5644-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5760-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5796-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5840-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5984-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6056-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6064-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6092-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6112-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads