4dbc71cdc3ff1f9631727439986c021a0f58fa845721fb29a1a1e02b61619d64

Analysis

max time kernel
140s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 20:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

28aabb0d2a8c9cc25dc751fb2d6a1c6b_NeikiAnalytics.exe
Size

97KB
MD5

28aabb0d2a8c9cc25dc751fb2d6a1c6b
SHA1

20268b8f47b3830ff1ee3c6113db01bd5684ca61
SHA256

4dbc71cdc3ff1f9631727439986c021a0f58fa845721fb29a1a1e02b61619d64
SHA512

c226d178e28f5a3103bb5fb5e1b603c9881a005284e0cbdb6bfa9a59e6aaa8dc6806956e992f920822eab6b7294aea2f2bfe31ac66e944dce2505475155cfc76
SSDEEP

1536:C+/cir6vs+me4glqlLmidlkT6LQqGvJXeYZ6:Cli2vsT02LmOlkT6LQquJXeK6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibmmhdhm.exe

Executes dropped EXE 64 IoCs

pid	Process
3472	Fodeolof.exe
1776	Gbcakg32.exe
3556	Gimjhafg.exe
2140	Gcbnejem.exe
5028	Gfqjafdq.exe
1528	Giofnacd.exe
3252	Goiojk32.exe
1984	Gjocgdkg.exe
4120	Gmmocpjk.exe
3116	Gpklpkio.exe
2328	Gbjhlfhb.exe
824	Gidphq32.exe
2676	Gmoliohh.exe
1312	Gcidfi32.exe
1176	Gfhqbe32.exe
4460	Gifmnpnl.exe
3272	Hclakimb.exe
3196	Hfjmgdlf.exe
3280	Hihicplj.exe
1928	Hpbaqj32.exe
4636	Hbanme32.exe
3724	Hikfip32.exe
4452	Habnjm32.exe
4752	Hcqjfh32.exe
2988	Himcoo32.exe
1996	Hpgkkioa.exe
4144	Hccglh32.exe
2900	Hjmoibog.exe
4224	Hmklen32.exe
1316	Hbhdmd32.exe
4912	Hfcpncdk.exe
2336	Ipldfi32.exe
2128	Iffmccbi.exe
2448	Iidipnal.exe
3800	Ipnalhii.exe
4488	Ibmmhdhm.exe
1652	Ifhiib32.exe
432	Imbaemhc.exe
368	Ipqnahgf.exe
1196	Ibojncfj.exe
1824	Ijfboafl.exe
2432	Iapjlk32.exe
872	Ibagcc32.exe
5016	Ijhodq32.exe
4968	Imgkql32.exe
2884	Ibccic32.exe
692	Iinlemia.exe
4428	Jpgdbg32.exe
2948	Jjmhppqd.exe
4496	Jagqlj32.exe
4580	Jdemhe32.exe
2236	Jbhmdbnp.exe
2360	Jibeql32.exe
4368	Jplmmfmi.exe
4376	Jbkjjblm.exe
4140	Jidbflcj.exe
448	Jaljgidl.exe
2628	Jpojcf32.exe
5056	Jfhbppbc.exe
3992	Jmbklj32.exe
552	Jdmcidam.exe
764	Jbocea32.exe
4448	Jkfkfohj.exe
3636	Kaqcbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Giofnacd.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6084	5768	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	28aabb0d2a8c9cc25dc751fb2d6a1c6b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kbdmpqcb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3472	2972	28aabb0d2a8c9cc25dc751fb2d6a1c6b_NeikiAnalytics.exe	82
PID 2972 wrote to memory of 3472	2972	28aabb0d2a8c9cc25dc751fb2d6a1c6b_NeikiAnalytics.exe	82
PID 2972 wrote to memory of 3472	2972	28aabb0d2a8c9cc25dc751fb2d6a1c6b_NeikiAnalytics.exe	82
PID 3472 wrote to memory of 1776	3472	Fodeolof.exe	83
PID 3472 wrote to memory of 1776	3472	Fodeolof.exe	83
PID 3472 wrote to memory of 1776	3472	Fodeolof.exe	83
PID 1776 wrote to memory of 3556	1776	Gbcakg32.exe	84
PID 1776 wrote to memory of 3556	1776	Gbcakg32.exe	84
PID 1776 wrote to memory of 3556	1776	Gbcakg32.exe	84
PID 3556 wrote to memory of 2140	3556	Gimjhafg.exe	85
PID 3556 wrote to memory of 2140	3556	Gimjhafg.exe	85
PID 3556 wrote to memory of 2140	3556	Gimjhafg.exe	85
PID 2140 wrote to memory of 5028	2140	Gcbnejem.exe	86
PID 2140 wrote to memory of 5028	2140	Gcbnejem.exe	86
PID 2140 wrote to memory of 5028	2140	Gcbnejem.exe	86
PID 5028 wrote to memory of 1528	5028	Gfqjafdq.exe	87
PID 5028 wrote to memory of 1528	5028	Gfqjafdq.exe	87
PID 5028 wrote to memory of 1528	5028	Gfqjafdq.exe	87
PID 1528 wrote to memory of 3252	1528	Giofnacd.exe	88
PID 1528 wrote to memory of 3252	1528	Giofnacd.exe	88
PID 1528 wrote to memory of 3252	1528	Giofnacd.exe	88
PID 3252 wrote to memory of 1984	3252	Goiojk32.exe	89
PID 3252 wrote to memory of 1984	3252	Goiojk32.exe	89
PID 3252 wrote to memory of 1984	3252	Goiojk32.exe	89
PID 1984 wrote to memory of 4120	1984	Gjocgdkg.exe	90
PID 1984 wrote to memory of 4120	1984	Gjocgdkg.exe	90
PID 1984 wrote to memory of 4120	1984	Gjocgdkg.exe	90
PID 4120 wrote to memory of 3116	4120	Gmmocpjk.exe	91
PID 4120 wrote to memory of 3116	4120	Gmmocpjk.exe	91
PID 4120 wrote to memory of 3116	4120	Gmmocpjk.exe	91
PID 3116 wrote to memory of 2328	3116	Gpklpkio.exe	92
PID 3116 wrote to memory of 2328	3116	Gpklpkio.exe	92
PID 3116 wrote to memory of 2328	3116	Gpklpkio.exe	92
PID 2328 wrote to memory of 824	2328	Gbjhlfhb.exe	93
PID 2328 wrote to memory of 824	2328	Gbjhlfhb.exe	93
PID 2328 wrote to memory of 824	2328	Gbjhlfhb.exe	93
PID 824 wrote to memory of 2676	824	Gidphq32.exe	94
PID 824 wrote to memory of 2676	824	Gidphq32.exe	94
PID 824 wrote to memory of 2676	824	Gidphq32.exe	94
PID 2676 wrote to memory of 1312	2676	Gmoliohh.exe	95
PID 2676 wrote to memory of 1312	2676	Gmoliohh.exe	95
PID 2676 wrote to memory of 1312	2676	Gmoliohh.exe	95
PID 1312 wrote to memory of 1176	1312	Gcidfi32.exe	96
PID 1312 wrote to memory of 1176	1312	Gcidfi32.exe	96
PID 1312 wrote to memory of 1176	1312	Gcidfi32.exe	96
PID 1176 wrote to memory of 4460	1176	Gfhqbe32.exe	97
PID 1176 wrote to memory of 4460	1176	Gfhqbe32.exe	97
PID 1176 wrote to memory of 4460	1176	Gfhqbe32.exe	97
PID 4460 wrote to memory of 3272	4460	Gifmnpnl.exe	98
PID 4460 wrote to memory of 3272	4460	Gifmnpnl.exe	98
PID 4460 wrote to memory of 3272	4460	Gifmnpnl.exe	98
PID 3272 wrote to memory of 3196	3272	Hclakimb.exe	100
PID 3272 wrote to memory of 3196	3272	Hclakimb.exe	100
PID 3272 wrote to memory of 3196	3272	Hclakimb.exe	100
PID 3196 wrote to memory of 3280	3196	Hfjmgdlf.exe	101
PID 3196 wrote to memory of 3280	3196	Hfjmgdlf.exe	101
PID 3196 wrote to memory of 3280	3196	Hfjmgdlf.exe	101
PID 3280 wrote to memory of 1928	3280	Hihicplj.exe	102
PID 3280 wrote to memory of 1928	3280	Hihicplj.exe	102
PID 3280 wrote to memory of 1928	3280	Hihicplj.exe	102
PID 1928 wrote to memory of 4636	1928	Hpbaqj32.exe	103
PID 1928 wrote to memory of 4636	1928	Hpbaqj32.exe	103
PID 1928 wrote to memory of 4636	1928	Hpbaqj32.exe	103
PID 4636 wrote to memory of 3724	4636	Hbanme32.exe	104

C:\Users\Admin\AppData\Local\Temp\28aabb0d2a8c9cc25dc751fb2d6a1c6b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28aabb0d2a8c9cc25dc751fb2d6a1c6b_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\Fodeolof.exe
  C:\Windows\system32\Fodeolof.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\Gbcakg32.exe
    C:\Windows\system32\Gbcakg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\Gimjhafg.exe
      C:\Windows\system32\Gimjhafg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        23⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        25⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        32⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        36⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        39⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        45⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        46⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        48⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        57⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        58⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        63⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        67⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        71⤵
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5076
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        74⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3492
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        82⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:400
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        85⤵
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        86⤵
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2124
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        88⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        89⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        95⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        96⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        98⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        99⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        105⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        107⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        108⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        110⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        111⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        112⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        113⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        117⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        118⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1512
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        121⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        124⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 420
        125⤵
        Program crash
        
        PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5768 -ip 5768
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fodeolof.exe

Filesize
97KB

MD5
8133d3c8d0544b113faed14650e6dd9e

SHA1
8b346d87442b5b1c1c7d2c8e2679bdd94e0e0409

SHA256
364e4c52bf12b0bcb144166c19c6d045d49af4a4056b65eabe7563dff2d622fe

SHA512
a51e0188a0b5c6dac2465d113ab3b9cc21cb6733adeea79744891fe5e6576bc1cbd056783383115084bfc637b02d0f59bf86e4f113a4457a121e5a1ad2bfef55

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
97KB

MD5
7bbca4a672dc2ee3c4b76cc1dbfe116b

SHA1
18a1cf381bd18ced7fbe6363058a903d49becce7

SHA256
56e97ff8763ce129c2a5f030a30365b5592ecbd16e767624ac5126c938492c99

SHA512
94a743bf4641ed9683bb1051091ab8364d9f1cbf0d3f652b51011b69088e9b66442f4016b83ccd1b27b6c6d6f4bfc82cd9188cdde13063b4c93977e7a83e2990

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
97KB

MD5
0aee5854e356b61047071866996ba299

SHA1
a61323754e0066842fab664fa9b99bee112bc609

SHA256
e1f2ad0f243cb2cc79cbb0d280b5586aaca8f87464d6d23884988ad7902c1baf

SHA512
2d550b673cae877bb6612516f469f78f6131ba7fca7b2da3afacc0099dfff71df4660e93a914649569510d8ba112a105171b3244e9bf7af5b6751ad3f4eed769

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
97KB

MD5
1b88d65ae2787937041d1337475571f7

SHA1
06ec856114a303ef1288b201c7e4753d60ae39ab

SHA256
af88dde75b4a7d06894b1a125b4b153b27c1f9d63b9cf691083b3bed5d59f716

SHA512
582a3c9613a2c72fc2f9130574da0a4b1bea488436e95feea61ced8658394e6a05c5acdb7ef0f25c637c83e28187af503f0bf3bf8209205e745c56e5fac57058

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
97KB

MD5
bc41796b655fc609570dfc69f2075fa6

SHA1
066d32ef732c9f6c453235c4cd7243ee8684e024

SHA256
54970c6929dc23a95f4bca2d810612eb132147fdeeb89b5681ff14b1861aeec3

SHA512
3283b8bdfea4e3b3e8b96a900915c463b4bdc0b1759ab9addae32e42a23fac84072517bb68bedb7189e6b23d54bae278e5928c666df38e430ff68883c134a5c6

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
97KB

MD5
28f936289050527d67063bd91bdf740e

SHA1
8ccb2ffe9cac0abc2ae21716cc1f23436a886805

SHA256
ad1ed98df75700097617040519782b377545dc7d108a0a16bae83a5fde5e0348

SHA512
6527af500411e4eb43557a278ea96e3b9360ef2aecf6246265e2ae2b4461eb352f040f229f3871bfc49ee0e5c40d21f2dbc64a5f979330512f34be5417dfdbc2

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
97KB

MD5
e33201c8fd48f0270a6b93c87b4d984e

SHA1
86e30113f0e619b15f8ef4f0852d913c48969471

SHA256
acc83d0cb39aa7e8891168f456a56b085fa27c65754da50e356cded08aa1a9b7

SHA512
d4707341288dd753af516cc33242c210e5cd2d275ac99a161993bdfb65157789b7b125ad871708b700dd1be353afb0a3f2bad1018c65bd63ddf814c1d1ec99e5

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
97KB

MD5
0f7f28abc9d187478761c1959d23e706

SHA1
ddf7dd53d6559c274e0c6f92e95e234ef78c27e4

SHA256
2b9c8992c91bba74b397ef87749fb463057f4a89e94026c7e00eac2c021c26a0

SHA512
0cab936cbf0b01a2cf76e89fa0e1a701105195ff84ca7afd3e5d8a245c440b755bcc63c7165e26e565696779527c85247e1c3fa047a535104ad8bb5bec6a764f

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
97KB

MD5
1dde92f914216562f5befa5e58f01ac0

SHA1
3fc45c3cf9b91c4b60cb1f5930b04dbc450887d8

SHA256
9b2e338900d5c73bcbde1c8c503143bc2b3c23fda7a2da76a8e3b1a189147de3

SHA512
6d4fbb3cea76d0186504d3bbb9e11046ba569fe01b22c09fcfab5b6bf844e26e823118337cbd11e59723807ebfeae04ef98e69a51836a84589eb01144e173dda

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
97KB

MD5
ed029f62b4f5b687313b49e485548582

SHA1
dda64813fa77759f54e8f1f6710857a5431f5848

SHA256
eb25117cea06b02e851685ef6761f97660f67048f0e375993db35e415eec41aa

SHA512
47fb773d8842df56064c5a5fd81186e9c8916ec2aab2926f8d70d79c86e7a254ec4a6fe80b850b79570f9ffa771addc5fd9f07d56fc17f0350dc2667202e752b

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
97KB

MD5
fada07067cb68abfc37330e3e98bc1d6

SHA1
95121af73de382ded8d94c68ede4e0c46a186838

SHA256
c79de7b505cdae25eb9379a7db423c753f3937975584e6cd3f6d5f4f79ae5807

SHA512
1e85033035fd71baf5fe6ea4e7ccbc24efe47611d022ac2ffeb460a760daeff6be8c5bde567b2f39a4ce7fe062e837b01c5f5cbeeef3cac02fdf061f2e1b909d

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
97KB

MD5
b920b84dbdb55326e7c16f9ab144d780

SHA1
b2a629cfac5c5f037f246c982d97f75a1c4dd9e5

SHA256
1e93f1fc76fcb326fa201a01c01a5a8ff4c64f010e80ccc2e9a8e9755ea175bf

SHA512
fe6fc7a2f277e352d9aaa46a979e1044a9361c4c95a6f331e6bc53b8b929ee29938587c72d76fb4832d6088bb74a28fce9c9b79cfb8289b88281e467db7fec75

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
97KB

MD5
5b73d557d9410437ada3266ce6d2bc59

SHA1
293b526da80262ca3f05f4371b6d695f0ac12975

SHA256
5b8d1d0d3b097722e57b5e221db86967400bee5dade1a29e2a4d26bc1ab35eb0

SHA512
6296dbfc893a0b1057332de4f5cc9f79ee6aae2313a350a83fdf4276bb190988c8f40b776ae1d438c88292f4bc87f27b9d7976f0e2b01359a344b2f04e3256c0

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
97KB

MD5
441b3743abda0295589f33f719d0a651

SHA1
e3ab85bc6f6d56ceaffbaf09869d01cf7a29aaff

SHA256
2945ba4023dc57957f39222ccfc1c12ebe33cea9b897c5f3445ffcf4eff62f85

SHA512
f86688dc6ea8c0700fac4f9eb94231b5b04f4045f47ac80560dd08be5511a5d240c600c79538ea224bd6e74f74170d8cd066e8c74b9f8bfdcb6ecfa8c9c8ad35

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
97KB

MD5
7578472d478edb4255be2b752aeb1fa7

SHA1
e6b1464727592c70f2956b912706a005db8073af

SHA256
ce9f4d2858be755c990b4d477b749f0af9a8cda198a3bb0fbffbcc389a96eebf

SHA512
73ff12edf5f85dcc0e4f5b643746b79ca7066df26906c23b69ae0b379d3df3572656d4f944aaa4b62675bdf13e098dbe1edf2893648445487d909821be0c1f2a

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
97KB

MD5
db149a4bc8f0e3901b0c4cf44a849868

SHA1
832cad400cae3d6654a8c8f915763dee8168b683

SHA256
62db88e0041d19235787f03f95e80a05d19ed0bbc30266a654460f1e2004d9a4

SHA512
8458ce7cff7a4c82e34c7cc0da6131ab0748516e2a6d8890703110a13aea079012435b3d06a1a2b700eb0669a8f261221696a52df174c656f9979074a4eef1df

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
97KB

MD5
47f4c11ee898453d8d0a620851bf36c2

SHA1
95842d24a01d91225ded012a4c11d4693ec3d161

SHA256
b6dae26bd9173f0685584d0c818fe1a17b8765de9b45e22793cd21ab814074c7

SHA512
b83cd015ef6ce0dde5a2833c02dceaeabb5e257309fb66e9b135a5e657e3c89f5042863639c1fde0cff8f5d77f91762b9dddc4a1f33476405916200890b9733a

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
97KB

MD5
7857c661e47c648194375856ee5ac637

SHA1
8e76f31c1b8198b6630bba81cac46489ab4112dc

SHA256
bf658829f2bfaff69fbda411f9509f3bfc93aba15881fa37178f1760fe06ac49

SHA512
8b6ca8ef9b6a5c5fa02877b04ba791daa07ee790d139236e798139d029279925d2ff79038b9158578851172ede649319182b2a5050ef77897da5487e1759952c

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
97KB

MD5
d2cc0cecf6d4731cb6949cc15eb4722e

SHA1
ea4b96e92e8b5bc2f42c360e35e6adbc95c1f565

SHA256
428ba6b3cc335f2c14226ada50a17bdaaf5fcf16baefb58d8983f9d56d7ff622

SHA512
ff2d90689b3f7ba172a1029c29f1e11b1bed9fb35ded835d9261eecb7cc72cca9e79d8cadec0d24244c2e33a95ed981a11f4f84db1b120e95b1294af0fa980cf

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
97KB

MD5
cd3236fb2c2ecb0a9ee3011536209bce

SHA1
3d1410b0149f6c175aab885881975c298034513c

SHA256
c945d8e16ac7cdb6fe8f6ad875e049e16a64fa467e311df343ee71aec29b36c5

SHA512
88fa81ec16e0efe4be849f4eb86574c84b1f51634d4a61676639128e77eb9e6ef21e8bcc930858158a2ad1da01c412e6812d6ab76d38961c69104a4d48e3ed73

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
97KB

MD5
2431ccb60d222095c7359fdc57a09143

SHA1
416d9d8256ffbab992b251ca7900773fd73d1a4a

SHA256
113cc6d08f8c71107f96179ec686b146a77a7cd152266637cd1818c3d7bca5e4

SHA512
fb0514229670e231132ff933e50fe6aa992030bd2ab67265666b7cb6020def4d1787d1f01cf6431fce520eafd4e8e854f997c0dc28682c0767f88b6c68a46e86

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
97KB

MD5
91c1a2e838199972ed977546e0e566e9

SHA1
080c0549d2f567a9c06f59ef9328cc0cd6ec9fbd

SHA256
83df6d48754f040a5a44a60a7108e8cde3acf86fbc57799d8195d2bf5f3a1b59

SHA512
8c79662d282402402c133cae34e820eeb3cd4aece946e3dd8ba7b154fc2e49f4a741ff596a2b85df0192a76ecd2bff06e7f357e2715695d5f9fc6f41a91fa18f

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
97KB

MD5
b824fbcfeb0b1e7406b2fc9e7ddf08a4

SHA1
4e4b321b63a167d26c4ea408e6412273e6ba7326

SHA256
a81724908237b719367d58b48ec72a53012f08bb19ec265e59199fd42f502fc9

SHA512
30d9f589b40235ecbe333f1cbd76dc0bbdae6f8a8e29c285d8bffeb6d723e8d452c9daa7b847d92b4be59e9de41ab0beb0449419347ea59e58a1ad11bda8e8dd

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
97KB

MD5
4816e73c862e2cc52dfcd8abf3313d5c

SHA1
2fee78f82ca6e78b4bfe1392b900f899f816a83d

SHA256
ff00fceaf12ac2b0e351a304c640e72f656372d0174a0e551b43ae0523f8afac

SHA512
f6dff4d061aa20042809c0c6141ae543702265f49b4ce1a10b213fceaac4791410a88d7a989bce46c099a1e60d95b8451a0ba352c5533ea43b7d90cfed5a769a

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
97KB

MD5
69d89f7420c85edb93576fed90d00235

SHA1
4da95173ae7e098cae0137dff8f65ea929b3ed81

SHA256
635979355f73eb83c5f3ddcf4d31d12d10002eca2937f0c2ccf64c61d40d2a66

SHA512
c86a4e04df339049a163129de03ec61452e63a9a2f98a4df70fbe37f76e3f664494bd71e8e141d73b7d56fdfbd1fdde71d1cf8c805d863af41138bf158b65166

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
97KB

MD5
a5afcb50954c0772ae669a43fc06c383

SHA1
8bcb57fc561b5e223dfe30bdbad67c30aa969837

SHA256
a86c1aba318147bf13eb24ff948a1a9408be07bca42d22eaad596e266c3cf2a3

SHA512
3392ae694bc5baacd01adc714279c13f6ec4710a3dcf625177b9f4956f633d6a28e6e515fe4891b1d0f388bbf75f1a928baaadff2990d5291d4e855dffdd46bb

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
97KB

MD5
166f4bf509f6c855196ea5c6f1670f99

SHA1
c681eb9b89010c38d7bdfc59c83806ceda2bc281

SHA256
a2db4911ce6a9e322d20ef9c6f3ba32d8303ca06b43446b20ff46eb7538aed15

SHA512
e98dd2d9a27ce39b14ca04d911ef600130c2d237f7d757929ea26c8db6d0e4f57eed65f4d81f0b24d3c04fde40caef5e6755fd4f0970ebdfa3603c6991446f1c

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
97KB

MD5
47a3e9b114c1455d6dd9968c0fb81fb3

SHA1
79d176ed1235c7abbc289f511fe6397c04b0884c

SHA256
772540a0c1e5de4d72bc694cf2794558f14d6868cded7636ae47806fd7e3501e

SHA512
674f4a03f55e34ec3c6835b93678ba903283f1d03d3b43cfb9f8e4bd64ac8357c386987ea480c3e93f62201363ec59b65d13c1e47a25e11384354c16ff9a1afd

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
97KB

MD5
bf3aaae9b18b3b78229d82b8a507c400

SHA1
d46513643b932c747a1b5f980cdb4524f7108b3c

SHA256
37b97d44bd20aa0b5f3ec8c48fe0f5605ce43e38fca41ca3afdb0837de591985

SHA512
d424c490416dd85c14505b1219679517ae6569995f0e627c17c0d2b7a743aaed8601d03324a6f923c3cc0c6477551b1b5b71c366ff4af445d9ee1fa19ad0c38d

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
97KB

MD5
3f2f57cf5c4448d2163f2a874d628d2a

SHA1
7378eb8d3205d7afb9e5396024759cfd09713b9d

SHA256
6c1acfbe456307c6942d7af6440a24c3a377dffc4866eb232b6d44eff904165d

SHA512
da94ededf1918ffd86d8590d6ce77d5b6617a0c4d928233918f6bce03ee7f51a1fd4d02992f60a3241a8ab3bbc5dfbf850b95633920a8cc9e73c0d9bb90285fe

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
97KB

MD5
d5baaa7adfe4c41079a248376abbdad8

SHA1
78c140572de3a824edd5ea5efdb4606941552e99

SHA256
f9d17c0ec62fd14035e20d8b9ab367baf8bae9658ba90e332e08324bcc589aac

SHA512
61f856e2af960fd1bcf533fd9fd03f0fd85d5cc41e5ccf7dd888d369ef3b951e980354c3721cf22e0fad06573a12f15fe13b202b5408fa481e1ee1c6c7e0f904

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
97KB

MD5
e8a967d181f4e362d9be8b85aa7f57e5

SHA1
7cd30483fd41739161bfc274023d286d83c40d5c

SHA256
fb364673f57346b0e30fd59e63e48abbbd8f82ff6da8b76fb7094f565b3176d1

SHA512
fac4e51f9917a6f4b30f77d39c7b1f09fc517ce76362a42f6e713101596d74a8319870cdafc28f009aa8ee14be898ba7136618df53c4fd0f838e71771121aba1

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
97KB

MD5
d37da5ef51f60c74c807990bafdcd21d

SHA1
44f333084ad1ad61c1115bef37d6e9ad74aa81d9

SHA256
54c53b091f7da32634dcbc937e8ba13f57024ab1cb5c70f7f246dd8172dbe93e

SHA512
c93679f40933197041a1ace3dc32e4650e763b3b5db1ba4672064c1eb2b8f2f04c06e4e7eb0db2676bc721eb07f6a4819fb43aa4ed471772047acd4d6c6407d9

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
97KB

MD5
5d8aa58685f76c09e448376c80c74094

SHA1
c9ef49ee42d5a2d7072f76744ce34cab2ae42a05

SHA256
4f67c963fe679c0fa9fc0caf14f9fe0898124c37431bbc97d9787096903b96b7

SHA512
0288e840eff6b43cbc97cd79a5e8dde335e132b99713e7f9b4a0f772802d5cd2ff7adaf9b08f0cfb13e58977c685870110a35b84fcf60390620de7232e956f32

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
97KB

MD5
74d7f1608fd57ee345d5e2c56fcb883d

SHA1
894ff8e6b367fd152188dc979ac7c6f8472fbb80

SHA256
eefbb86f416854f0bf1b27501ec192832ef6435536aa47b8efb6abcd0da9301a

SHA512
64037261cdef213d23e0aa8b531d3d4fa1ed5f0e3caa38025faad573c0d35f667feed638288f3e301504d5c6ef60764b02b5b40a0448430b6b7fe0ccd01f1c7b

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
97KB

MD5
9e7ab47ae95d8c6eb3c8a5110c756b9c

SHA1
12212d29faeb687ad4e1c6ca15e0f9b5b1277551

SHA256
02910fd64a6141b2539d959377904d4d664355dcb57d82ce370299b09fb2a352

SHA512
ad8de9ca1cebe8f68acd04bb8448f959b47f4d964800933353f677097300a3dde0d6cfe9100358080d1e15c88bc1bbaef0358e49a1b4486a1aa22fea4d36b250

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
97KB

MD5
83f29f93004831183df9ba0f3103175a

SHA1
21ce5a82a3c72e8d4abb097890f21c63d24b4af4

SHA256
50ba3f2f06fb50386fed5701730a29a17db61e7e7f43ce51e977dbaa9e2269e4

SHA512
a9d07e091324096a218d46442050c55e076ea21afb52edd225aca444fa04c9bc053088aa05678a40a348715bfeac8fecb9aafa7d7cc82917822cd18fca3757a0

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
97KB

MD5
4f00524a83018d6f217cab20b89622f7

SHA1
41190a2ba831e448bde2fe33e0b3102723e7ad29

SHA256
ae7fb6e3b8e9b5fa3210abe9b0142300ee6b17c996bdd1814126365e53499309

SHA512
b103ff9978b9a8506edb5555163f9a9021f90e40c638c0d506fad6acbc8eed213ff5d4e800201e88f9679fdba48ace9ec13ed490c956ac1554f505a5b8057118

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
97KB

MD5
2adaaf48501853830983a67dd8b30b1f

SHA1
f96384b6cbd1c03c17c34793fb7ba5908bfff272

SHA256
51161fcd06bc70de2f64a047577e54310b0046f318c09e56de4a1d6fad4da7af

SHA512
07ab733c50d588cc8b38c3afbb6fe605bb9269e346d4b8cd16a9e1f65c527e1965b2eae5b2d7b50e5846b89501061b2c1baf2667fa0248f1377976cfbfb24836

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
97KB

MD5
373b0d2cc7266bcc2dbeacaac4329e68

SHA1
f57f3798c0dc055bbd68a95bddf55e728150433d

SHA256
21e0c04dd38a7a756ebecac48839e2611ba7044e25e2d127b614c06917905678

SHA512
b7ab4354b3c330f11a2acb72d741f99921b485434fe0a142b6d1830f22d8253e0e74cb852d4e2ed29613f2f4f29d1caea2808a44121555bb73220078f38dc622

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
97KB

MD5
55ae92ec52188b7026bce4a7a96b29fe

SHA1
a0c6c16d9f1f824fd14a2521064a404dd36fdc69

SHA256
b35e400e733b565575d1af18b6ad0aab6450d5206fe3640705a7c10ab551ca70

SHA512
eeac41ba8b4ac3007334090a314ca19750251c783d83f5de3722c1ea6f023eec510c3dc491def578f47fe767c0ed40682c10aaea45625103fb8ae9c0f91fceef

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
97KB

MD5
de709ee30b2c40327dd7c5d53780e924

SHA1
8ec7e1bba8a94b3c4574694f662c131fe6af6eaa

SHA256
91a9f181f91dee69d3bc45f80083799f5d1e1873335893adaa121490c32cf7da

SHA512
8f2015ca07a0026bbedc964fcd3645239b1fe4c8558d5a75d55ee144bd61f4359c8e2cffafbf1a3066fda854c7efd4e9553d81b9f087d827f85b4216080e5ef3

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
97KB

MD5
9c4b8654a8a531cc0f3cc85e8f7c4581

SHA1
f3c372db6a8c5bc3f0f64f7b030538e4876cfa7e

SHA256
a1971042fd905190e3e12b5cfbf85c9ff7f45c24cbe22eea141d0adb93a31086

SHA512
76c495605fc8c9ea2cbeee3ec37e5f346aecae7a8f60f996e4eba7d2999683dd34edc698f58588d51bbe2df5ea26f6cd8193f5b94d2b420ccf5cb20e25197cea

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
97KB

MD5
1f3b0894c69df6fd26f5f50cbe995bba

SHA1
d25cd04707889a55403bb439a5d871531ff896f6

SHA256
176bcc01c6e01b8d184b288decf8889eadf938245a1a8f42d131c14643ac00f6

SHA512
50226cdadfd3b7d3e03d588f4f759172d131f7847eeb2064515fd374a37afe13ee38f71b341a256ca00165ad9b3f55cccb43bb53ce8f3926a1f9e91d92653642

Download Submit
C:\Windows\SysWOW64\Peeafpaf.dll

Filesize
7KB

MD5
5f3912890348c88fd73510b5e9e084fc

SHA1
949d5c9ecdef6a48fbe37a4c5f80271827a743b7

SHA256
937adfdaa55675d5df9356c6607cb092f846f13f95053e9bb794cea7d456a30b

SHA512
ff8ebf57a5e41dad500b97ea402e9e17193e01160c7c86cc4f2396472c685be72e536baf88b99e26cc5c08764740e762e30c6749bb23f987c16a980588a683f3

Download Submit
memory/368-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-930-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5164-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads