9217c81cb71e0dcc153a8c6053950dc67aef979fb63047a932a107f822fdfc42

Analysis

max time kernel
140s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe
Size

93KB
MD5

ab405d276e8c4f0e3060707723e35a60
SHA1

91cc95fcc1716b95bd7e773ba68b385273d8cb2a
SHA256

9217c81cb71e0dcc153a8c6053950dc67aef979fb63047a932a107f822fdfc42
SHA512

8f6c19d81f623d753470f05da44435b35f0ed260d64714e041431a9b3abcc03de045f0e1f538909e6dd47b9bcd42bf062e25a115d23e11e1b1a636e8c13fbb6e
SSDEEP

1536:wDD3fW3WyqiCgHt0iHu3o2WTb8b0sRQlRkRLJzeLD9N0iQGRNQR8RyV+32r:ofilC0bOMaDelSJdEN0s4WE+3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe

Executes dropped EXE 64 IoCs

pid	Process
3228	Giofnacd.exe
4752	Goiojk32.exe
2740	Gbgkfg32.exe
1420	Giacca32.exe
2640	Gqikdn32.exe
1748	Gcggpj32.exe
2476	Gfedle32.exe
544	Gmoliohh.exe
1676	Gcidfi32.exe
5004	Gfhqbe32.exe
3668	Gmaioo32.exe
4764	Gppekj32.exe
2228	Hboagf32.exe
1604	Hapaemll.exe
3792	Hcnnaikp.exe
3128	Hfljmdjc.exe
1888	Habnjm32.exe
3000	Hfofbd32.exe
4220	Himcoo32.exe
4860	Hpgkkioa.exe
2000	Hfachc32.exe
5080	Hippdo32.exe
3012	Hmklen32.exe
1256	Hjolnb32.exe
4992	Hmmhjm32.exe
1280	Ipldfi32.exe
4068	Ijaida32.exe
4940	Ipnalhii.exe
4776	Ifhiib32.exe
2268	Iiffen32.exe
1892	Ibojncfj.exe
2676	Iiibkn32.exe
3612	Ipckgh32.exe
4864	Ifmcdblq.exe
4996	Iabgaklg.exe
3984	Idacmfkj.exe
2124	Ijkljp32.exe
2876	Imihfl32.exe
4608	Jaedgjjd.exe
3928	Jpgdbg32.exe
64	Jfaloa32.exe
1036	Jiphkm32.exe
1060	Jdemhe32.exe
1084	Jbhmdbnp.exe
2440	Jjpeepnb.exe
3388	Jaimbj32.exe
3440	Jfffjqdf.exe
4472	Jjbako32.exe
3264	Jaljgidl.exe
3536	Jbmfoa32.exe
116	Jigollag.exe
4008	Jangmibi.exe
3712	Jdmcidam.exe
540	Jkfkfohj.exe
4908	Jiikak32.exe
1704	Kaqcbi32.exe
1840	Kdopod32.exe
3236	Kgmlkp32.exe
5024	Kilhgk32.exe
2464	Kacphh32.exe
3628	Kbdmpqcb.exe
4452	Kkkdan32.exe
4528	Kinemkko.exe
2620	Kmjqmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5940	6060	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 3228	1644	ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe	83
PID 1644 wrote to memory of 3228	1644	ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe	83
PID 1644 wrote to memory of 3228	1644	ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe	83
PID 3228 wrote to memory of 4752	3228	Giofnacd.exe	84
PID 3228 wrote to memory of 4752	3228	Giofnacd.exe	84
PID 3228 wrote to memory of 4752	3228	Giofnacd.exe	84
PID 4752 wrote to memory of 2740	4752	Goiojk32.exe	85
PID 4752 wrote to memory of 2740	4752	Goiojk32.exe	85
PID 4752 wrote to memory of 2740	4752	Goiojk32.exe	85
PID 2740 wrote to memory of 1420	2740	Gbgkfg32.exe	86
PID 2740 wrote to memory of 1420	2740	Gbgkfg32.exe	86
PID 2740 wrote to memory of 1420	2740	Gbgkfg32.exe	86
PID 1420 wrote to memory of 2640	1420	Giacca32.exe	87
PID 1420 wrote to memory of 2640	1420	Giacca32.exe	87
PID 1420 wrote to memory of 2640	1420	Giacca32.exe	87
PID 2640 wrote to memory of 1748	2640	Gqikdn32.exe	88
PID 2640 wrote to memory of 1748	2640	Gqikdn32.exe	88
PID 2640 wrote to memory of 1748	2640	Gqikdn32.exe	88
PID 1748 wrote to memory of 2476	1748	Gcggpj32.exe	89
PID 1748 wrote to memory of 2476	1748	Gcggpj32.exe	89
PID 1748 wrote to memory of 2476	1748	Gcggpj32.exe	89
PID 2476 wrote to memory of 544	2476	Gfedle32.exe	90
PID 2476 wrote to memory of 544	2476	Gfedle32.exe	90
PID 2476 wrote to memory of 544	2476	Gfedle32.exe	90
PID 544 wrote to memory of 1676	544	Gmoliohh.exe	91
PID 544 wrote to memory of 1676	544	Gmoliohh.exe	91
PID 544 wrote to memory of 1676	544	Gmoliohh.exe	91
PID 1676 wrote to memory of 5004	1676	Gcidfi32.exe	92
PID 1676 wrote to memory of 5004	1676	Gcidfi32.exe	92
PID 1676 wrote to memory of 5004	1676	Gcidfi32.exe	92
PID 5004 wrote to memory of 3668	5004	Gfhqbe32.exe	93
PID 5004 wrote to memory of 3668	5004	Gfhqbe32.exe	93
PID 5004 wrote to memory of 3668	5004	Gfhqbe32.exe	93
PID 3668 wrote to memory of 4764	3668	Gmaioo32.exe	94
PID 3668 wrote to memory of 4764	3668	Gmaioo32.exe	94
PID 3668 wrote to memory of 4764	3668	Gmaioo32.exe	94
PID 4764 wrote to memory of 2228	4764	Gppekj32.exe	95
PID 4764 wrote to memory of 2228	4764	Gppekj32.exe	95
PID 4764 wrote to memory of 2228	4764	Gppekj32.exe	95
PID 2228 wrote to memory of 1604	2228	Hboagf32.exe	96
PID 2228 wrote to memory of 1604	2228	Hboagf32.exe	96
PID 2228 wrote to memory of 1604	2228	Hboagf32.exe	96
PID 1604 wrote to memory of 3792	1604	Hapaemll.exe	97
PID 1604 wrote to memory of 3792	1604	Hapaemll.exe	97
PID 1604 wrote to memory of 3792	1604	Hapaemll.exe	97
PID 3792 wrote to memory of 3128	3792	Hcnnaikp.exe	98
PID 3792 wrote to memory of 3128	3792	Hcnnaikp.exe	98
PID 3792 wrote to memory of 3128	3792	Hcnnaikp.exe	98
PID 3128 wrote to memory of 1888	3128	Hfljmdjc.exe	99
PID 3128 wrote to memory of 1888	3128	Hfljmdjc.exe	99
PID 3128 wrote to memory of 1888	3128	Hfljmdjc.exe	99
PID 1888 wrote to memory of 3000	1888	Habnjm32.exe	100
PID 1888 wrote to memory of 3000	1888	Habnjm32.exe	100
PID 1888 wrote to memory of 3000	1888	Habnjm32.exe	100
PID 3000 wrote to memory of 4220	3000	Hfofbd32.exe	101
PID 3000 wrote to memory of 4220	3000	Hfofbd32.exe	101
PID 3000 wrote to memory of 4220	3000	Hfofbd32.exe	101
PID 4220 wrote to memory of 4860	4220	Himcoo32.exe	102
PID 4220 wrote to memory of 4860	4220	Himcoo32.exe	102
PID 4220 wrote to memory of 4860	4220	Himcoo32.exe	102
PID 4860 wrote to memory of 2000	4860	Hpgkkioa.exe	103
PID 4860 wrote to memory of 2000	4860	Hpgkkioa.exe	103
PID 4860 wrote to memory of 2000	4860	Hpgkkioa.exe	103
PID 2000 wrote to memory of 5080	2000	Hfachc32.exe	104

C:\Users\Admin\AppData\Local\Temp\ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab405d276e8c4f0e3060707723e35a60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\Giofnacd.exe
  C:\Windows\system32\Giofnacd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\Goiojk32.exe
    C:\Windows\system32\Goiojk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\Gbgkfg32.exe
      C:\Windows\system32\Gbgkfg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        26⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        30⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        36⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        38⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        42⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        43⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        50⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        72⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        76⤵
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        78⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        80⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1284
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3472
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4768
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3696
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2704
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        89⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        90⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        97⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        100⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        102⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        105⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        106⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        108⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        111⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        112⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        113⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        114⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        118⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        120⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        123⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        125⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        126⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        127⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        129⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        132⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        133⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        140⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 420
        142⤵
        Program crash
        
        PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6060 -ip 6060
1⤵
PID:5788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
93KB

MD5
11ea4277d84cb814cc225e449b73e165

SHA1
c93cb7517d19c76d5241374df0b40a3747346dd3

SHA256
831521907a6e28304536fb77a34e90d36afb488888105dbbc7aedc5fe6698d6e

SHA512
99b7095a0b678efe68b2cf18d75583aa5defb61e1351d841c7c58512b22af110dde79c6c877868bc6c51496a5766fd21658286a2b8a80fb3c648230f14a3574d

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
93KB

MD5
918dd312dd856581bbd01f98ba98984f

SHA1
4c56243de61caa76f8f374d9b4070d6ab14a182d

SHA256
82a569a97d15b6babe713932ac5ef20a898dc3b04bb3ac34970a2ceae0c8e81d

SHA512
8c9af4b03febbcd41a3105e3470221ecf0e42fd6ec67042c0496ba9c924b9137c86f28d1462871472d0154c1aff1533dcf886a06e65b56a267c01321232f7bf7

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
93KB

MD5
b56c4d6e0b6c59b853bdffb0c0bc07d4

SHA1
3a318fc504c65c90c790eddd2f7802f9f03ab2ba

SHA256
4da2a96441ac980006f081cba624af0ebdd8f78b06fddfe91597aabfb626ed29

SHA512
1ca125d1c01ec14a60918b17edda66d6f10e407fdf08a427044bc60a8ab2b27d8927e575ce3d2c08c0429978101a64a4ae729cc8557f8c9b3b63ea4b8b503dae

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
93KB

MD5
0eb8b186762df85c2ca13d27d48e251f

SHA1
be2e311be4bb7e7310bace37e5e9225229d05138

SHA256
217db880ebb2b0363ddd1aded86045a330f7c36e062579a7006b786178cb5a83

SHA512
34200887776c528bafe539e0ef7f44eb72f3a9ed75fd19cc94f72bda2847e67e8a01781eba83ba244aad5b0ed4ea2ec135d3e2dcaaf4e7552f0282afbab0eec0

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
93KB

MD5
8716e145c0511501a83a13873aa1b271

SHA1
5f739010e9a1ae66fc52230a3a553bb3f699c80b

SHA256
fa74c97ce5695bf3d3037d0a404ac362d7f267063328cbb984b966c4c65d71fd

SHA512
e24cdaa2ee06edcc5412aa22d0a904c74ac3d1c46af0bdbee8a165ab21f510be0da5b981e7fcfe0ae814384c523fdba329c3173cda0fd483de67424d93d57d37

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
93KB

MD5
7341fe69253d936462522c61526a044b

SHA1
d6ce1912715058cbbb6c40e66e83678226b0d17c

SHA256
c4ca61532cddfa443f25703ed978f961599652530b0cdcb9c137a499fd4ef55c

SHA512
1518452bf488edd16c253be16852a9863f854671b05ebce183eef94fbb12fd9c1afe16a6f242cb4847694665917d5ce71c88e096d032c1e9b574fa6ba26107fd

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
93KB

MD5
0ccb6957a88e2ee2dbbd847cbd5e8a3e

SHA1
847a20e3dc15beef27b833022cad48fedde1720d

SHA256
17474a16a34a929aa277ad272d1d66531046d261ff6a2abdd2a49136656b391f

SHA512
80147bb650bc55b12e8d6789c0ee6ab4ad80b164184385699f0cac79960148912332b8d951b4b7f7b49c686dd00158315b03c4c692199379236c6c78b1767267

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
93KB

MD5
002dc30ef0607ba16af6e7fd7d049b32

SHA1
338de92df9e216bd518d2d6a6a60e750a9264042

SHA256
32a68a656941f23713c138cd4d296732f866e176222165275fb09e8f4e47a328

SHA512
7e4406d90015d8beb951166e0d19542435c7f2f8fa4b85a46e52d01524609084a0412e14b9761d3391c8510c53142f1fa6715a3db8d230919c37be7606eedfec

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
93KB

MD5
65b54f6d81b37358f1c813770ce5941c

SHA1
83c2cadd7617c40268974616f7fdc4ba1fe682f1

SHA256
7c8bfde218f6b1a314ebb3ef5dc77ac85ca9501d3e14ad58ec94c4626c81f23d

SHA512
221f7ac41a04bb3bc8c9fa950266c77b6fc76fd65578f8cd4773b42fe4f02f0254b0e941352f8c1e9e40c5c427ebb4351e2c228886975524bf4e1d59cbea0469

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
93KB

MD5
55504784d844f3b02ff67314a1765df8

SHA1
dc210c229211697be740b79187b1307ad87ad94c

SHA256
85ab5951eeee9f11454f3730aff82c30360858bff682f456b3e62cac3c65dc1a

SHA512
6f499e28a05844cb6a1f67a2187065b012aaea8a09903450a7bcbc7a4fe25ed004e4c38183c19f4a71a8857e3dbf314865b149144bc7e2b565608a583d0a99eb

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
93KB

MD5
01fb076a198ab7cec8706740acbca0e8

SHA1
364d2717c1a97361f6bb3329a6b6e30040bfba8f

SHA256
827a68fb2e17b10a07a0674df106213e4772548dc95487ca2eb91b6eeb19280a

SHA512
1069301550a0de72736dd3c81d196fd8f97d17d39997d4394a71ab95aa787e20b8dcaa3535d8f9a46a72e64f9dbedca8488981f23f49dfc7e461623cc0d35317

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
93KB

MD5
6fba5c8eb0a932b0ab946ab2de696dfc

SHA1
e4894f31b8d7abf3f9d8dd24dcac5a635cfc4891

SHA256
33a1c326b4c0c06e1a6789f224749c12ed5cea9bee76b624c6c986f57be388cc

SHA512
ae9658c2272b30ee8097e45117b30085f5cf312c4e8db811f2265274c11643d175c1b2592da4769321c596e84cb2e3602c4a05a4650b22f991254a70db0610fd

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
93KB

MD5
891bc36954f8304408cc5bdd280d77a5

SHA1
f719b90258455a12641c331403654be726b35ee4

SHA256
3aabbf97870f94f18a0faba431f5bec51dccca56d8e6f820f85bbea0591deba4

SHA512
f1d540f229d9008266c4abe5f24742053af7aec6fac375480dadaef6f3e56780b51a5911f71f8486c3621ac43b8b50559376693e01fbce395c95c66d71836f1b

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
93KB

MD5
d85a574a6e12f0f6cb13c2a6fe68b65e

SHA1
7b86107b754f407a84dcac009965d8761244d6c7

SHA256
c032afa43fb56357daef3d426aa5186998d429954ee938e5e001907fd06a07b7

SHA512
66a93475920f483bd699ca18bad463ea09a38a1d5b663416dc163e3e2a654f27c0ddedb9aaf0ea50e1b009d1628f223761c2c15d4df2b35a9826d69fd36525d6

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
93KB

MD5
5d358d9aefcc51a3af13a0ebf7f138af

SHA1
70158a0c281b037e588721265ac8d4d3a5e6adf8

SHA256
e1c928a2350fd062ce027a565a5d25b9eaf0f5620f855b8150d5b1296a6af4ac

SHA512
55b2b0ae3e0dcb99b61b8b06a2ce8cddc73a155c191c7b703610b8573243bf66c79bf0c6b4277f344fc3de6c650d9e23e4511d53f4658dea11a6de42fcbb1621

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
93KB

MD5
0f1c1c269e1b72e4effcb95f8827490f

SHA1
7943df32add6fce4e452f9ce5fb350dfa4d03e7d

SHA256
a63390c47dc8065332cdfc7259148fbba63f82d7fe0b526e880eb2afcf8735fd

SHA512
e2e9994e05c8849630e87408e8312dd945538e5278fcff4d27a04187dfc3dc6a7820179b558fab8d752ece987f92b3e24aa447201a1a15d5b731f5fb6607d158

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
93KB

MD5
ba1c9fab211a0f639b0ee221ab59c9a9

SHA1
a19da258c05ec3e6550c1cc77b8a31efb4e9d814

SHA256
13ebd3c6cbe5d57f97cf71f3e064d59be3678d4efcf7a37b626924a16406d123

SHA512
ff05da03583278a84a930de6b46189e50ee01a94423abe057e1250be53373d803c752919aa40acd9854472a10da2e02c8a659a3040319f9818babac4e5a52fea

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
93KB

MD5
9af3666042737cc916727a070b2cfcad

SHA1
f57ddce206c311a285d2cc600645ebf43bad9ddf

SHA256
e47b46e2e515bd93d2e1abf58761100f35ba4d84d91fb4a4a998658ed1a04bfa

SHA512
3b80fd9cc0cfdaa2271164dd4b636b766105ea33fca7b86d74c4a8b5f0a183a330a52b0c60d439abd208686ce734b5be829fd30981b0c6dd5482e46248d90bb2

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
93KB

MD5
6b610d282186fc30c8d97ed43bc81840

SHA1
cbbd0889637abc4fd81ab20e8b48fbb8b389ce0f

SHA256
45471feb68452b6f6ace6a0b7fe7d51b4f86df62c17a0ed4ba3732d6bbc6b0d5

SHA512
df52f727097f3c4c513be207b0295457b497e8db1d3135623352236956285813780d3507ad986d282907426761e130d7c919d165aec9c09b2d4e3440fbeea5f2

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
93KB

MD5
cdf428a3e2573489fb4fe95d284cb555

SHA1
950e882deb8d3eab825c066ab500f98016cb52ba

SHA256
369030a35a6907b72bbed4a946a66a1be942e7aedf2679f1dcb6131e341117dd

SHA512
c90dd2ad4ab6aec0585381be1346a0e45d89b825dbdbf56e77103565b199bf74141d89d4257072aac4aeb97779541daba9744598d9d0ef889719a5d48e452a4e

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
93KB

MD5
ca59efea4744dc28bc3567c7071dbebb

SHA1
ec5073ac0e8f52e4285ef8317ee25fe3456ba9fd

SHA256
85008ca4bedf999820718f1e73eec73cf80c19f55e18a43bd64498a46bb9a0e9

SHA512
85411f0cf5445510bbc3eac946a88ce2dc46f0292c88ec8006d8bfb5b47b3145f55940a9c477c19df27683b0a44b848afbdba867a4143b8dd218e820b66cc825

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
93KB

MD5
7167071569f4732c57483f50793f5d27

SHA1
6b79fb18fd55a8b81fa0a4f4207d216578d8eb4f

SHA256
a35aaf40115193a65d6c95eae3fe9882409873309d5193449a0a9a966dd4fdbf

SHA512
5c618ad1a80df572f020a4a8cec754e27042289fc0b93eca3dc1e355d58ad9a11a9e1a8233586a414d19d06809eff79914db41ab115f0d117075d9ff8a31d4ab

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
93KB

MD5
7023abc83a93a697cceb14091e2463c4

SHA1
dd5f87327d3130bd66938cb05d29309fea1637c9

SHA256
4120ba5e98bffbc41940f3dfbd901c6f735a11a546360c9319658cfc39c38afe

SHA512
b1d83c5eaa2a12a6d9f8261199f34b8c0a2e5fcdd0fec3cfac965b0f181e6d260e6eb929e7d2fba32e4a00205db11d1c2b506a5db6c796dcaecf944372a737f2

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
93KB

MD5
4cc1031a1f93ea3f09ddb8f65a0ba262

SHA1
51abb0b903329a3b6d8d8450143d4bd12903af4f

SHA256
329cbc330cc674b9faa9eb8ec94392d64fa6d916a1acca2624dcc16a136ba3ed

SHA512
4c7ba6c9aa6c00e6c28525357307de08c5f02331fa009dda9c6854262cf241b8b8391d62b5bb06d463ac1dbc8a91ef0b002fb36173ec300eb1caf64cea05c63c

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
93KB

MD5
5c8e7330f7d9cb7a82b571fdd1492ebb

SHA1
3e23ba472e76acc2fb1c3b6182140e9fcd06322a

SHA256
23eb55232d4757e91a26354bad77a8332cd21f1ca74066a3f03ec3a7357bf08b

SHA512
ba34000ac9ceda32953ca6b902e2e1cd30855eec5d7920726b535be836dedf08bb8443a6902eb78b8c3212a54048716dcb5ab4ee025df1bf030247905199a24f

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
93KB

MD5
34fe09ec906defadc773475ef7d86ffa

SHA1
ba104c2b19ce60e50fae539cf7d23a0fb29b9bf5

SHA256
428e98acb25bf89a9cd372cf7a9f41fe4d4b973efb0ff56520fbe742f8f4e76a

SHA512
e90654049ca58ee0d732a1f4ac000cb32a389259cd51ee5a5e926093998ea3742187d1af570bdfd110563216a1b37bcf349f21f3f38b6454435d4dc5b8dcf978

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
93KB

MD5
d1f3b0babd637913c93a8abe6537cec4

SHA1
d51f37d5ed81c0095e6b29ad52f5c3b6e477073b

SHA256
e28a99bd5b4f908ee3b70e507523f9d41274493d3bdb9b0f738188c0cb6b31bc

SHA512
4a7a07ced4ab438627e0bd71bde3cb3b331ddc2c420aa3b030123eee669f72d15406cbc7500608aa7f9fd29f144932ec38e92715657d24b0b06c82f9615b9979

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
93KB

MD5
c8a8d96ccd4d299b64f1eb33eb3a3a6d

SHA1
f061fd3b56ecb1703689e68cde23d9b7693fd4e2

SHA256
a914171ee08c391d9981ddac0bc83d2ca12ce13e113c5b658aa217eb601f9c6f

SHA512
e45ff77b8a36fedf9b658a296ade085e4b5af18c0e9ec0105ebcd492210d76a4e468c7d8097793cbd2a2c0516b388cb5b675fc07d9ca12b0c98278ce6d150148

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
93KB

MD5
9a1a3634b1eb881c6539b1fbd9e4dee8

SHA1
24cdcbf3dd14d4cda666658565490239d4ba573f

SHA256
46d005124152dd6f107575b80592a3aee351036ac4ea8972dade094bee19d23d

SHA512
df0b706f459da7f2cf687d03882bf86dac2d07d6ef5da7788ba4ef7ac1d942ab60ccd6958e0a53bfe9b7894125d911d932a5d29ae7de336a54890f59758c1682

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
93KB

MD5
f76440299b76119730b711f002de4541

SHA1
f496604efa9b93ce29254ee823bd8f5923f9f64c

SHA256
a8ab4163a63d778e47c7da376af3e917771936896ac13752fe54448008858320

SHA512
91f18c6b3f59fb0c2038d7c2c95c396271304f26662e366e3c446cb7b63bbb7ffdfc47d2f6de2d52f3cc346111b78612575f87b69a109af2e758e174c7be3d8c

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
93KB

MD5
59a2e4b564404dffaf781392eb73275b

SHA1
f51b898daa03bb46cf5d525ffcc4048cf01483cf

SHA256
2ff8f9693d4806b32d8268256e9ab365785aa40ec329d9dfad36ad63742b141c

SHA512
1ed09db65c593be275bc79ddb2abdc6ff488623b5a2d506267226fea8b051866237bf4ae85765a80d9067cc0e25a751eef8165e5e45f4aa4512a8d3f31e9fdb5

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
93KB

MD5
19aa6070aa5419a00273d1201ebd17af

SHA1
54323afe25e6647a115932b0d13b33b755ae257f

SHA256
9167369057904e7a305bf435b671102bd3c4ee8369a3182aa8abaacd14fa32e7

SHA512
b0933f93c398a1bb442e8875884be70f41b375feeeceef3c85b70192bc334862a4434ebdd00a9d15586774db9f04808c90eee26195b273838bba7eb00485fe70

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
93KB

MD5
dd2f7874c084193d5fa7ee3c63b710e2

SHA1
cf567cd043cfb6745e1d44aee934781b631848f3

SHA256
52526f71c3d386ac51d14044c290bedd7d041dd6839ca560ae3f4b1db6c4f51b

SHA512
5c7e4569c38020a6e50fb8b3bd36a4fdc06445712d3739609eb8e6205de8c0a1fe8565e9e3df9b39ff5b6c0ec7e815918d5e0d783c621d76cdb84a3f7261d002

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
93KB

MD5
bac345e4540a343e0e4c5fb761704904

SHA1
422f326ca380be27901c3cd4e2aa02a8495e32c8

SHA256
846abbf935bb06f41588e2cd28702d3a4bba5094648830accb3c45de70783395

SHA512
473af135076b545f7e096cbd37203aba946b5f745793968c40472fd526554c59d0ca22b6f528e184b6a26b42d4380351d71c817232c596f3a30cc7c8f170ea97

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
93KB

MD5
f7b70699d50547bbd20ed2b9dd1a02e3

SHA1
2fb0fc7e54576016a2d7f7bf262c24382a8270d8

SHA256
03c24ed83d52fa48b4c7b5636a73f0e74e0becdd77c995e9e3a82fc7a51b1261

SHA512
b8163a616dde489862ee5acd8ae5d9ff33bf58bafcdc800cdb2fb79a8f07fc6b163641fe84fd3551a74e3d585f2467e3d56e25cbacd023377184188353d3e882

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
93KB

MD5
bda4a5b01abeb2e94b48d13dbdbb79ca

SHA1
1ff20e59f8ed7a61efc916f767901eacb8879f2d

SHA256
0848630924944cab31eb968163563cd2229dee80fd23c64db9616d06f1e574af

SHA512
3bf929bf8e0d120775e31c80bf9401f6b21c96f5267eb1651745ce735d299f46d60b718cd0587ee52902214555ded81b2cec6d84761d62838414357f472362d0

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
93KB

MD5
50c904a97299b99f39faef57d373b7d9

SHA1
cfcce648f2e90bdb36cda2211ae15a7d5aedec35

SHA256
1ccfb75db768608a7604f0e8a26ccda0a55f5a391bb9d244794b7ff9bb6523a5

SHA512
c63bf0cf19d223116233bf707a2271b1e4f124c8d3a5a8fe848e702ea7a785e4decdda59646cabc76fa635185aedfb0e354842a4cdecce5e64680c3b928a6610

Download Submit
C:\Windows\SysWOW64\Lmbocjjm.dll

Filesize
7KB

MD5
b1a9f400f60a9f6db36f3a2f77d5d792

SHA1
a8f9c5f4a6d71867826c685ade4aeb22ae6ad7a1

SHA256
ec472d3d6c223dd6b0b595683b3506efb988fd1e243b8bd446e0751dac493517

SHA512
a57324e45326f1870be73f8219d08e57f395cde02858b4e1779449f644d59471e71dc4eccf41e1d8323ce3c8b78f4f4bd00194850678eb52ea6386f6c5b9b433

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
93KB

MD5
108033c56bf81dd7ce7febaa0f164799

SHA1
4ba21e43d9e5f1150a058be31e44fb069f4ecc61

SHA256
f54d2d499dec65762c6b1d629e7b7588928dc88b56c9cf1ffa7d8ef3066f7ede

SHA512
eca414beab1015b3e83329551c1bfa120d99bc2ccd90156004e347cdeb069342a208050ee0f876da6d05df88d8bd7c800601ae62f0e1f0374f9ab781cbd929c0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
93KB

MD5
d893a238c8e076f755dba0a5d3cfc61b

SHA1
3fcd369157c70f37b4f638306805c944ed9f758c

SHA256
0d5ce6cec08f25826255f62b659d6ebead874d3b6140152e65791af4659d37aa

SHA512
ebdda29e5c753af41827c84ac38e0f728ef7d9a0b1849be71db6849beaf333142b6099ea152d29841c57ea8f6ed8be7104dccb1eb43107cfaf1067328b70fadf

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
93KB

MD5
517fa5faaee7558b9d17a0b3aef6dca0

SHA1
e9614d045a28b01e080b63618cfa9cd57b9f99c6

SHA256
b5f485356e0cace634a2e169b61a2617eb4a2eea07482f74cac74765773a68b5

SHA512
1b8aa283834186885010ffe03df59c2fbe81ea59b6174014695aea8781ca0a4e798f70dd797e1cee9b09ec677f6e30e08005271e679334e24fc348b86f9e9a02

Download Submit
memory/64-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/64-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1084-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1256-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1420-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1420-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads