b2c1976ef5e9264bba911733e1a7ae81264b4d650eafea3f4b8b8abb55efccda

Analysis

max time kernel
130s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22b61b7541a686cb7bb25ac3cfc27585_NeikiAnalytics.exe
Size

324KB
MD5

22b61b7541a686cb7bb25ac3cfc27585
SHA1

fa5d51595d12271ea07b3ca054f1d6e6418dbe83
SHA256

b2c1976ef5e9264bba911733e1a7ae81264b4d650eafea3f4b8b8abb55efccda
SHA512

418a3675ffc22e0edc89d60535cdc292c56052ad797aa7492de27d81bd6a2961a46189897747c5ef2c359e64154b72a31882c781265e037f9ef1d74bc9b52436
SSDEEP

3072:TL0QT6yr5CrxdbMqlWGRdA6sQO56TQY2mEmjwCzAhjQjxNX+W5RK0:TYQTjr5wbWGRdA6sQc/Y+mjwjOx5H

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	22b61b7541a686cb7bb25ac3cfc27585_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe

Executes dropped EXE 64 IoCs

pid	Process
2428	Gbldaffp.exe
1160	Gjclbc32.exe
3940	Gmaioo32.exe
2660	Gppekj32.exe
64	Hclakimb.exe
2056	Hihicplj.exe
5076	Hapaemll.exe
5080	Hpbaqj32.exe
3380	Hmfbjnbp.exe
1332	Hpenfjad.exe
3476	Ipldfi32.exe
4248	Icgqggce.exe
4848	Iffmccbi.exe
2372	Iidipnal.exe
1220	Iakaql32.exe
2996	Icjmmg32.exe
3792	Iiffen32.exe
3424	Ipqnahgf.exe
2560	Ijfboafl.exe
3500	Iiibkn32.exe
4244	Ibagcc32.exe
4572	Ifmcdblq.exe
908	Iikopmkd.exe
444	Iabgaklg.exe
2912	Idacmfkj.exe
4996	Ijkljp32.exe
224	Imihfl32.exe
5104	Jpgdbg32.exe
212	Jfaloa32.exe
4488	Jiphkm32.exe
1520	Jpjqhgol.exe
3232	Jbhmdbnp.exe
2304	Jibeql32.exe
800	Jaimbj32.exe
1176	Jplmmfmi.exe
2200	Jbkjjblm.exe
2180	Jjbako32.exe
3376	Jidbflcj.exe
3872	Jpojcf32.exe
2672	Jbmfoa32.exe
2252	Jfhbppbc.exe
1724	Jmbklj32.exe
3828	Jpaghf32.exe
856	Jbocea32.exe
4564	Jkfkfohj.exe
4020	Jiikak32.exe
3432	Kaqcbi32.exe
4288	Kdopod32.exe
424	Kkihknfg.exe
1252	Kilhgk32.exe
3488	Kacphh32.exe
2768	Kpepcedo.exe
2624	Kbdmpqcb.exe
1136	Kkkdan32.exe
3928	Kinemkko.exe
5032	Kaemnhla.exe
1536	Kdcijcke.exe
2312	Kbfiep32.exe
3228	Kknafn32.exe
3784	Kipabjil.exe
4608	Kagichjo.exe
4644	Kdffocib.exe
1912	Kcifkp32.exe
4232	Kkpnlm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5856	6132	WerFault.exe	222

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 2428	4100	22b61b7541a686cb7bb25ac3cfc27585_NeikiAnalytics.exe	83
PID 4100 wrote to memory of 2428	4100	22b61b7541a686cb7bb25ac3cfc27585_NeikiAnalytics.exe	83
PID 4100 wrote to memory of 2428	4100	22b61b7541a686cb7bb25ac3cfc27585_NeikiAnalytics.exe	83
PID 2428 wrote to memory of 1160	2428	Gbldaffp.exe	84
PID 2428 wrote to memory of 1160	2428	Gbldaffp.exe	84
PID 2428 wrote to memory of 1160	2428	Gbldaffp.exe	84
PID 1160 wrote to memory of 3940	1160	Gjclbc32.exe	85
PID 1160 wrote to memory of 3940	1160	Gjclbc32.exe	85
PID 1160 wrote to memory of 3940	1160	Gjclbc32.exe	85
PID 3940 wrote to memory of 2660	3940	Gmaioo32.exe	86
PID 3940 wrote to memory of 2660	3940	Gmaioo32.exe	86
PID 3940 wrote to memory of 2660	3940	Gmaioo32.exe	86
PID 2660 wrote to memory of 64	2660	Gppekj32.exe	87
PID 2660 wrote to memory of 64	2660	Gppekj32.exe	87
PID 2660 wrote to memory of 64	2660	Gppekj32.exe	87
PID 64 wrote to memory of 2056	64	Hclakimb.exe	88
PID 64 wrote to memory of 2056	64	Hclakimb.exe	88
PID 64 wrote to memory of 2056	64	Hclakimb.exe	88
PID 2056 wrote to memory of 5076	2056	Hihicplj.exe	89
PID 2056 wrote to memory of 5076	2056	Hihicplj.exe	89
PID 2056 wrote to memory of 5076	2056	Hihicplj.exe	89
PID 5076 wrote to memory of 5080	5076	Hapaemll.exe	90
PID 5076 wrote to memory of 5080	5076	Hapaemll.exe	90
PID 5076 wrote to memory of 5080	5076	Hapaemll.exe	90
PID 5080 wrote to memory of 3380	5080	Hpbaqj32.exe	91
PID 5080 wrote to memory of 3380	5080	Hpbaqj32.exe	91
PID 5080 wrote to memory of 3380	5080	Hpbaqj32.exe	91
PID 3380 wrote to memory of 1332	3380	Hmfbjnbp.exe	92
PID 3380 wrote to memory of 1332	3380	Hmfbjnbp.exe	92
PID 3380 wrote to memory of 1332	3380	Hmfbjnbp.exe	92
PID 1332 wrote to memory of 3476	1332	Hpenfjad.exe	93
PID 1332 wrote to memory of 3476	1332	Hpenfjad.exe	93
PID 1332 wrote to memory of 3476	1332	Hpenfjad.exe	93
PID 3476 wrote to memory of 4248	3476	Ipldfi32.exe	94
PID 3476 wrote to memory of 4248	3476	Ipldfi32.exe	94
PID 3476 wrote to memory of 4248	3476	Ipldfi32.exe	94
PID 4248 wrote to memory of 4848	4248	Icgqggce.exe	95
PID 4248 wrote to memory of 4848	4248	Icgqggce.exe	95
PID 4248 wrote to memory of 4848	4248	Icgqggce.exe	95
PID 4848 wrote to memory of 2372	4848	Iffmccbi.exe	96
PID 4848 wrote to memory of 2372	4848	Iffmccbi.exe	96
PID 4848 wrote to memory of 2372	4848	Iffmccbi.exe	96
PID 2372 wrote to memory of 1220	2372	Iidipnal.exe	98
PID 2372 wrote to memory of 1220	2372	Iidipnal.exe	98
PID 2372 wrote to memory of 1220	2372	Iidipnal.exe	98
PID 1220 wrote to memory of 2996	1220	Iakaql32.exe	99
PID 1220 wrote to memory of 2996	1220	Iakaql32.exe	99
PID 1220 wrote to memory of 2996	1220	Iakaql32.exe	99
PID 2996 wrote to memory of 3792	2996	Icjmmg32.exe	100
PID 2996 wrote to memory of 3792	2996	Icjmmg32.exe	100
PID 2996 wrote to memory of 3792	2996	Icjmmg32.exe	100
PID 3792 wrote to memory of 3424	3792	Iiffen32.exe	101
PID 3792 wrote to memory of 3424	3792	Iiffen32.exe	101
PID 3792 wrote to memory of 3424	3792	Iiffen32.exe	101
PID 3424 wrote to memory of 2560	3424	Ipqnahgf.exe	102
PID 3424 wrote to memory of 2560	3424	Ipqnahgf.exe	102
PID 3424 wrote to memory of 2560	3424	Ipqnahgf.exe	102
PID 2560 wrote to memory of 3500	2560	Ijfboafl.exe	103
PID 2560 wrote to memory of 3500	2560	Ijfboafl.exe	103
PID 2560 wrote to memory of 3500	2560	Ijfboafl.exe	103
PID 3500 wrote to memory of 4244	3500	Iiibkn32.exe	104
PID 3500 wrote to memory of 4244	3500	Iiibkn32.exe	104
PID 3500 wrote to memory of 4244	3500	Iiibkn32.exe	104
PID 4244 wrote to memory of 4572	4244	Ibagcc32.exe	105

C:\Users\Admin\AppData\Local\Temp\22b61b7541a686cb7bb25ac3cfc27585_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22b61b7541a686cb7bb25ac3cfc27585_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\Gbldaffp.exe
  C:\Windows\system32\Gbldaffp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\Gjclbc32.exe
    C:\Windows\system32\Gjclbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\Gmaioo32.exe
      C:\Windows\system32\Gmaioo32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        24⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        25⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        26⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        28⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        31⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        40⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        42⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        47⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        51⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        54⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        67⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        69⤵
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        71⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        72⤵
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        73⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        74⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        75⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        76⤵
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        77⤵
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        78⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        81⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        82⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        85⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        89⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        94⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        99⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        107⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        109⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        111⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        112⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        115⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        121⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        122⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        125⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        126⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        127⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        129⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        133⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        135⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 220
        137⤵
        Program crash
        
        PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6132 -ip 6132
1⤵
PID:5712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
324KB

MD5
ff65fd9bef12f50086aee94f30a37167

SHA1
aea9b1803044c386f20bf271c70192458b889b01

SHA256
05f3e36c6b6a27258761ce18476e22e052141a7985e38ef08d65143914751847

SHA512
80ef8391f1542f90c493a5b9a259a04979629b8277ff1a346e29d108653429a8aaf5a8fda643bea2b37b9608c7c259e053a024ae67c6acdf6bc96b34063c6a36

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
324KB

MD5
f83fe2043e4b23413177d139b02f2ebb

SHA1
1057e5881b39f233d92e57294c18d14c91ca25e0

SHA256
c9e9c622c72adcd6e5946da4a91326ccbb0196056fb5ba67664f514a7013875c

SHA512
d2b9853ff34191d81cf12140402f183394a777f5313cbe0a7ddd792374510e00e2aa727e5d22a23a8942767566128d6cedb791037d3980678fa75c1678a6d397

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
324KB

MD5
fad075f9eaa8c38f49cd2960f8bc096b

SHA1
684632632550dcaf817413e3a2242c310c76b583

SHA256
065d64e60f63b658c19c74aa25216321d1bc6c45811645d9817c195035c679da

SHA512
5d5c84acd15a851366b799c01b7571488b6b330521099c02632c5c822df90fe3b4b1710b229425aabbd024640845cf2f4557cdfc82b6b9ae5db33bd3059cad6c

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
324KB

MD5
22f389dcea682d78183281162ea84a63

SHA1
8ab951bfe529868013197eb1dfa7303704fbbe89

SHA256
b533fa731150d8795312c898e05e980a67c7064aa87931c28f1956e020c704c9

SHA512
327c5f8e0c38a7b581b4606cc78d947971e7a588c79aa8b2dacb815a56f9c96425420b11226db5bd24b0e44fb2c5b878aa7e4daee8b39f7c0d163a6528246b70

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
324KB

MD5
c80a31e1e0f84e0b2a55b8cd83de03d2

SHA1
61096bc01cc0875e49715185aea9c3350c1fee35

SHA256
c06cc0438a7d7cb7fdb712e1694ae7a4ebcfa24fbe02ee92ecb5d53f844a42de

SHA512
0ee245409120813336543a744d74b6aedca7935535ee85d9e0d37f8b60046f6e542c35c02878afc8133b109ad463a7a9f5eb0bbbc20854daca75ab7564161bf0

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
324KB

MD5
5af02bc6bc23626258bf4015c127a2fb

SHA1
990a3a325571d7dd5c5fd542c34e85cfab1e45e2

SHA256
012b6dd9836deff2cf3c807ad5c4bc744fadc0401af652534b2d8141f9f80555

SHA512
696993e4d4c4817ea7c4c218bb4236c2e946c63acdf061a336a4d3afa5b2b5396920fa47b0eccd537a786d87edd53a0f2777dd78a42bc54712854c23a7d493f7

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
324KB

MD5
6efb196dca9e1e610807febad8f22f0e

SHA1
71aaf4856ee14859c1060358e620cb4c83b4c49e

SHA256
bf35b67f515f1653638db61f6cf4d971d0cafde2eda0c26c21dac875692824b9

SHA512
7fb8b060e925c7c7f36949985eee3452862ac7abc96478b179f7102de24948734430fcf484659692a0d064fb760938161da699bed6988be4fb47d184b62a20cf

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
324KB

MD5
7fc49e65461fad17eb87a4f384177dd2

SHA1
898070ce208b82243eb830a0f8b7207c0bad0dde

SHA256
16198c10b96e10d9027c4429c4079a790937581733671896fb3c2007c892292a

SHA512
54c14579d89c1867128a102afd97bdb149acb83b191ac57488e4c44947b591633aa179ce1fc9b4e6bd822db37770a60d115e0e11142a786c445926876d197130

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
324KB

MD5
e8f74fd6eed4a29f073b19fadabce54c

SHA1
18aad4a1319af36f423960d0e79a3903bee1c022

SHA256
b729b2e5142f9694e9864c98ba416292dd236fbf2160e456e80b09bc90cd50c8

SHA512
43987b266f2c8781ffbe76a7d8ed3af52c54d123fabcef17f878cfcb8380bfe17ab8f38ea063081eddd4123c75cf01789cab66bff43602fa7e927469f54999cb

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
324KB

MD5
bc343cf57cab3b1077ed4572fae53e26

SHA1
044af184c0b33633a9e01a490d929ddb2776500f

SHA256
cdc5cb1650e66078f7f918bf21a4b6770ebfefc62b2b6aff0a10d115d330940a

SHA512
0e98b30b86e3764a5c77ee86ac85dcc2d59c0db9a4e7a6b3ab8fd768c20be9e8ad1e539df8e71118c67d02550dd5fb758d42c30a0f93e352509cb28e37b3a2d3

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
324KB

MD5
584ca0723cce71b690db1e50374f409f

SHA1
e965d06f7ce30584ccc691c99587d7f6282d61a6

SHA256
f786dd168770456a91b5a16a88c10a4ef5f6cf7f54762117e130b20d81011790

SHA512
b13e3e4c9b7ad76f1b4da5784ef87c264bdf80a1427209f79e5daf7ffac9b0ddfaa48c9d0c561c1c68bf45e0b48ddc1012190d95d6d968d27b3d92a83842e7a4

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
324KB

MD5
f551e078c92f4af478bf6a6536063bc1

SHA1
0265cd9a901da88f2209a54fe7424cd9d0f91219

SHA256
974b1588e46d9e5734805e12d259d5d0e36bec8120e07dba5cb6b4acda08e364

SHA512
5dc521967b2407b0c6c86882f9eb59ffe6d0ee418cfd9dd18a735749461d2468aae5f06ea398a1f640c6cbcdf915f63cdc01d693632f21fcb0643297b14cd049

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
324KB

MD5
a1eb18d83b74778f6b5f6e5736e6bce4

SHA1
d0461dc0dbac25a448513dada4675513844f5f93

SHA256
bd86e7dc5fb7394ed82164f5b1850345edc6990595ad42d9099567cb74c7c49a

SHA512
d753547a48f0eda7143cff24911fbb080e8315317267e67123038dbb9f6505188193865dfee471473ae8ed2e7319db1d1e884572b9524ddc604adb6b57915ae1

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
324KB

MD5
94579e51338adead608bf17b69ed1e3a

SHA1
85c642fa7eaa66f31a732bacc1421696ebcf358e

SHA256
40e346729efc181edf67de864eeb2354fc54792153c1ff7746879acb7977ef8a

SHA512
f64c75d7f7814a19dadc5904e257ebddea918ba160902a0a4ba639aa29467b5b864b0acd05af16f6970ccea964915a1d8acff177a86e38c64fc87a2139495444

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
324KB

MD5
859297d539ea153c1c9bba25306302a2

SHA1
8701610fbd2a429995204cc052b685503c151a89

SHA256
64ad282e1bc58249da954f74f87390da12c7f49e2cda449a3c0263776e7053c8

SHA512
01468ef4dc52cbb9899b861236010f46e75ea537943c020b0ad97ba3b356f8714da749d6433399eccd0ee73c04d0a053099a38f50550cd8db1329a55f851aeaf

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
324KB

MD5
266604938585c00cdca382175eee90d2

SHA1
cac8ab9a3bac40ad79b9df3a7842278ec472526b

SHA256
7ec29ca3484673a6cd1dd917a40bec21c75b366362896fa000c2dee036e344ad

SHA512
986433c2448865861300e743a869182a3f11588c815d8bb0f5d1e8a9b433fbe0a5a417780a4ee33298dd702f469ca2857768f7cc09df593962cd6bedbd3d4eb5

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
324KB

MD5
f42222b4635c81f3bad9607af7a229be

SHA1
240d2f6ba840040547c93636104b8622d1018c1c

SHA256
d319297282f287f1ca47c7276e72b1ade8e33ab0ac560853af1781b1bad8d96f

SHA512
66abb8e976ed50a51be43c05b70a506bc10a9c0b91768f0a721a100de42560fe601708bd7ecbc254b31f732e952ebe702adaacc1a4ca712b19cbfefd0678e91a

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
324KB

MD5
d7e9c87650634dde2d2581888575299e

SHA1
7c431b37294aac7d493f7d2f7612100135a7d4af

SHA256
359596505f9fdb7f5eede432be97eda8f11280bf93d5e24a9d8776f6c6a30280

SHA512
5c6df8bd90139bd63242972ed919692aa666b2e959ab425f88d8b9b14ad1cdc406dc9f793dbe16cab643603620f385e48b6f96d3a7afdb892955660dc0e2a08b

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
324KB

MD5
01aea93e6485fa0877c51f642264ec73

SHA1
af5b129b0b5f9dd628f7fbe6499861fe1169d1d0

SHA256
6f737b245deed8746b1d609c2abb0388a1ada9a3a7ba64b298b5826d03a406e5

SHA512
72ddb4ad9bd85d7379f81e552dae1df85999833db6a7a69a9a23de34e717e328b4f5dc57c6abaaeed762a62070d1669ea6b9642040c3ae48bf23e70293a8f72e

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
324KB

MD5
2d6df2765227fb65ea6ad40e06f6c32b

SHA1
21376d9b09251af247ab7c07ff5a9bd598dcf265

SHA256
bcd232c6bc14c37d1cb9542235509e39784b3aa12a1fc44b464e0ebdf989f665

SHA512
b2e296ccfeb17f4f197bb11f0bd84caf88009c486812dfc6575e9725d092849f4fa73ec0e5e4c1409016d1c377f7b0c73daf189682b1ed3b99ec2220f882e15d

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
324KB

MD5
483ec2098156f771ed33103d0dede372

SHA1
6d34d3d887605ce3c2009205faae91146e3a1c0f

SHA256
38c9107fa927337bf1f8ab075f18bfc38804aeb81c76e500b45fb6c0127705c1

SHA512
58d656dd74e8191989e1880205d0b39bb2f05c73358b78e118859b973b0aeb8493b23ddbb855fa6c76d9103d9ab03fd03c2f72df384ebdc09a5b9248fdba602d

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
324KB

MD5
b6b95753dcc61591a833e6c03e75e5a1

SHA1
c70a2f14d99575e2ccec59d37c4fb228137ab82a

SHA256
84592fdbfd6bb9cf23e9231f39648fba46afa68417c47c72330b96f7af24f431

SHA512
8a02958f50b42904d2380227fdb463965650ab993a2ece2db5d33938ad530cec494dd696778e5967e35d56f10cf6e9633b5a0702cf750fdc5cd34bb685a785e2

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
324KB

MD5
2e02d05c26432dcbb9edb4a665a5ae06

SHA1
371d17b9735bacade5e60958c1bd0cef6328a195

SHA256
ff5e9fb80471128af131dbf319bcad5390d857b57a709aafc55dd7b803f02462

SHA512
06a9958e49825f7a3ef9448bc83dfcde49137bf6c0d5d2c72dc3156ee34df2ad3b1b416a44ff0ffdd08eef13245d0f79c9a187632e106f9f1dd201d5f8f8081a

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
324KB

MD5
d943959bae87d8652d2347b88420ab2c

SHA1
2a6c2728ea8436759605d436f6c4c9b108da087e

SHA256
23fb53aefe3bf46139bf8157e0a514ed5376c5530de71894b6e9d7c622f36e22

SHA512
8481479229b599b8403db393276a8f53a7bd894c890d972f5178f6b469a44008abadeb29d2a2517415a765d0d8ab1b7ec82d18ca4e1c68426a19e133ab3e001b

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
324KB

MD5
46ba2593c5f8942c52251015fbb6420c

SHA1
bd9441b6592fa9275e4196fc0921fdf0406a1c2e

SHA256
8546dd73b2167dba12f8a2be1c476686847d782f6e0c4fd6c2ada9f3bda17b27

SHA512
452009b0a00f8f0e4bbd0ad86201de34a3ffa96e1aa2f3266526a16c04b8d3f27eb9eb95346bf6d7a78b5ee53e59df9ca51e72e4948eb8b72e45fc9151c79b6a

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
324KB

MD5
989a285b32bb8ad4c5d3245a5141af26

SHA1
cd7a2ded3fe58db64c6af9269dc5a6ce73274a45

SHA256
0c3861a789b2e8ea7dbc0dda62681ad7ade93c9c82cccf32d626736957b3e29d

SHA512
c856eca7db6d4a37fd96c055a6b7a765dcb92725065abc41003344640f68921a2cdaa0f42253adba9570ac6c99c79c349c8d03740986b3d6becf0bcf2d8550ff

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
324KB

MD5
39530a2fb48a1075fb4e986fdd7d7168

SHA1
c0442ac17229309f5c425cce67a256e3f4efc7d4

SHA256
8c6be0ae0463ac3bcedd140ce970d3ddef3e63499cb9839e46e33920164af382

SHA512
fb990e9d2c9560e22171287d05a98cc2f87ee5059ecfe014f182f558046bcbb2d56af71bd26873b6633922c2c184b13ed9ecf911760b3d48d0c344118cbacd92

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
324KB

MD5
051efab7025adb9996a9c5fe07398e1b

SHA1
29bd66fc91b3daeb4348882a10cbe0447bfa1c16

SHA256
5c20cd2bbffa1d4ff80c9fd7a7b2b54546885faad2c2c42471e3febab719ef41

SHA512
7b2dc91c3bdac85c6c8a10f5203b3f3f521a9b939df65ec31361eb6f3c9e83f5b040730a1532e05127756aa49b1bc423e0dd388e7ae79f9941af4f38c5710843

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
324KB

MD5
813ae22790baa480b5e99ae6845f541c

SHA1
56f7c7e8e1069d170f19c2975af28aa72fb1f6e0

SHA256
4755cf92e69a3663412b6032885382d89bc155aaaffb8c99a8ab6f93f8bc21f7

SHA512
4b6f9630a14689ff33dad0afe916d6cfc65aa97f93983217fcd39c00fc2f3ac753ae1dedc5da09768c5e502e329c8d806ffe3e2c5f818b993eb79a5f71028386

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
324KB

MD5
5ae270e082a171e10b5ebfbf6fdbc832

SHA1
27ab4a537f579f112ea6a48eaae5aa6b72240dae

SHA256
10ef5ea82a87a640ef69e33fa03f0a4257c79b04545350e9d05d92526ff09cee

SHA512
1d63a9ff3a23670edde99bbf9e245db4440ba5b1db3518ad64f7bebe89e9b90dfdb3fe3122146c6bc702e24626c2045f2e0651af05f8f18097e6bf88836d6aa4

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
324KB

MD5
b806590b5a18a13d80446a0292366773

SHA1
6c18403a26bce16c607f1b4a12f078874d9a98c5

SHA256
d329458309c2846e39061945652da6b47d6782e7525739a64077d60beed4e799

SHA512
e7f63734a502065fd49aca54f2ad33a83fa35c8960361716343b4e4af93f695c88adbdbe69ab2a0cf854f4c070bbfc0911087a7c9288f3a38e465ca775717235

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
324KB

MD5
0babd6dba1377a4304b922a61a8fabb4

SHA1
d8be41d6bf8d7076516e76a416cbefcf4aed2f2d

SHA256
f49e44cd68400ee6d2098445ec5430ae4845e9b5dc0a80322f5d2e7550841fbb

SHA512
1b14a49f4b8561bdb302d3b015c11e9fc6712892c9c3d7fd3cbf4fd35eb85c3e78b951816fa1b23e28374a2445aad11aa230adbfc42f4b8e8c51424e78efece7

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
324KB

MD5
bdbbe347449a34434ac7c68a4e5a363e

SHA1
78c3fca538ef49e807d11a1903d52f9bac5aa5ca

SHA256
230669175f42128c20c03898cf80593c57d5551fbf395bed36fb5509a7d5e412

SHA512
7785646662d85903a2d32fe8e17d68911697556efb717c2b5439ddce9233664992acafc8813aeb6d059aa2c428ebdc8b5cb4b5cd8554f4843f011eaea1f42727

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
324KB

MD5
9d5ddd5993752b330e9309a01da77f95

SHA1
178435dd328f310cbdfcf2a487fa10642a6db82b

SHA256
ac0af11742952fadc2007b2a823863b1bead688417fac5f4b11ca82ab564d56d

SHA512
542b47d4cb2eae7f15aa3c005605bba10e16c7f6ae4646441beaf42108ce5727ebcf3f71cee3de60a6fd2370e88c7dbb0547beb46eaed009900fa1f4cd189406

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
324KB

MD5
36b83fb94e29e4fb647d0135bdf1c7d8

SHA1
28242bfeab8ef37d92987155f203fbf611311193

SHA256
a2b3c2bb4bd32a46200b4dd96e2f91f8af72835bc0fed2844c816b2eac6d619c

SHA512
8936e88ac90fdb21ee5307e73071d1a21dad146e6d5a0466afb5a55095e41f592b130e15bd46a2ffeeaa69c9e5f81e39a99e3263b251a3d29360c9f95ce576f4

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
324KB

MD5
a4082244501186f68d2b8da30b045e2c

SHA1
cd60eb0f8d4360aab6f29638acf4e448711b66fb

SHA256
ee69b55afc20060ec18ae1f2b500226bf79e1f29f09905ff52a9a1b996843789

SHA512
8bcda988e293c5dc45a40e838d5c9a0c5ce15500a8719896518a17a6d86fbb6c7a709d5f32d2f7ea73f4e87e3c1d2a7190d021595f02c7f4bcebbcd0666cd4a0

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
324KB

MD5
32fea5f8e1bd3303d9afb936c65b1771

SHA1
e6a39c113fd6ed9eeb3e4ac27d40ba01bb744d69

SHA256
d6651939538e60f369b433709517f65f0f5cee715bd2623c42400249e033bb6c

SHA512
818c1c50edd7868c82cec8b49a50277992a66052f3786465f40f7ab5265a73668e316f93cf297ecd8616a1a516f6765fd89fc7b6be477fabb1386aebe789af5d

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
324KB

MD5
52b9ff31df931017c1e89f2341ccd9a2

SHA1
4f51e3c9a0d20e749b8e6c60a8b34601bf45cc1c

SHA256
996cdeb19222fd843414d7d3c3c7901cc046d5ec959447a90df2b4799da612ea

SHA512
59d9ae3e4382279fd417a066ece9227e7059ee5e06b78d57d54ef0025cdadbb2dca2e19a2259d91489db22217daf21026220e08ef04e826982a7a9cdd8946036

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
324KB

MD5
53fc62f6a28b4fdfa4c46a87613e1dc4

SHA1
02d1c9f873051ac9e1dd7b08d61fa0c36abce5a2

SHA256
7f5df176b6860e8fa9d47de5c29631654c338ad47238b67be947455a8b0e38f0

SHA512
acfe3f1e81c0f067b628a57b5c94c7bc8147cf48919da72452e11e90042878c9d3cac2bea6c8016203331e3f05ed3336fe0dbef8e912f97e50029996a073e5cd

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
324KB

MD5
3040340a5d9f41a4912923c99fb721fb

SHA1
e82e0cf8f3842774f8f4f886ab924efc2fe02b01

SHA256
a4ad0f56ce6ac29b4dea5ec75c2857d186baabc6059a96764b4c4de037987c14

SHA512
99d271416ed60855b8cb5e2168334ff7b10f42b2d57ca81910942d60639dd1368a1a05696af325ddd5d238f7d67c0762152cb10a2045ea6022a125a8391d0120

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
324KB

MD5
08322464228f0a54c3001a3fc64c524e

SHA1
c180b9664c0b31db016c896e4abd18232227a893

SHA256
9a131d0b645a380ddfc72528b5e2344c7630f85d2c16137143ca0a63dc3b07ce

SHA512
358b67b066f7c13e1bd66bbe7edafe79d2ea35f417bd9b3f396bd1caea3984dc1edb6aaaf11e71023c50e5c3d57faf286a729a3aa40499b3ef7b8051d366088e

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
324KB

MD5
0de9e5f2b912f64008e62a4415129782

SHA1
551a07423afbda8bda49728a12c7f541a4978b3c

SHA256
975af16a783f4ce096a6cd2d406b19811ad227cb260b2460257fc1fc9faa8226

SHA512
f3a5201cfa32f48d16c3a2791d6349258dd4fdd00ca0eef9dc1cb909126d3411cd1d7431d4ec457a99a64363f9595e3f07a2319befc70fbb428b88c54be7bffa

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
324KB

MD5
2e827bca433094ec8402283e6e4d0c8b

SHA1
d27eeab7c79acccc42b51f0da52cfc3c81c90d7e

SHA256
d434fec7d802fd55416a596187323c215bd2f22498a73d3976e4dd1f9dcbe535

SHA512
ecef526874133c5f01f455a1509336738eb6a3fb67966aa4713b74f10cdc713de89f16c3cbd2effbf78d804890c8b3a044178c8575761c1774a455893df58bca

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
324KB

MD5
5d1b865e19735f0bcdbd0519d01f7528

SHA1
f4599ff670c87f803b2ded9022d4cb93bff34b71

SHA256
748d2840277d6dae45e2e809add836ff7bab5a0f3efd54d87869410b0de1e1ff

SHA512
986df56a853d91c3394659d46c0dd08d4e29c8401bb2a6f3620672d68a6633f498f60f8fdd81ad5323a26202793c862c148020880d9fdcd1b8f41c04bccda604

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
324KB

MD5
9a0f2777a6431f3ba21a8f6bb1e3c210

SHA1
23e519cfc035b30708a4d2d8d90ef25e92b87b39

SHA256
32d24786821e7f9a3c6213db9403bb4135af5cde2e057a2e9c678a91e9ecbded

SHA512
f1b97b83f4c18d247447e2d9f29e230afdafa9b0842b391dd6da94e2d4a1722b7d9e62a15cc311884391dccb4e8d891cdfd07f017d18d9ceab935dd06f33e80f

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
324KB

MD5
3a4efffd410b13df1b156d7e91b55304

SHA1
9c2e4153ab7728198b7b348168c55cd29d25278a

SHA256
a95cba06d63ccaa9255147cb56519dc163a3ac16313eb69ed3e7368664efca63

SHA512
36d78ccf9ba9cd9ab1fa5b0889d6122b30da9b90eeda7fd8f8551b164499a9da6a2eff967c5a725238b3299723ec1b93e7b29910eddeba920138977d2e259e2e

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
324KB

MD5
f7e702822fbf29a4243600c80fce35f9

SHA1
9771af7a5ac5303f6ec5b2bc8cb8b1740ad58cac

SHA256
79b191b1020c2e44efd40d5039b6eb264398a48dd9bca53cc25f8b218c14e2c6

SHA512
24fd5995df68fbcd2a6f8a781dfa507f4d509edc18e46e174fe9a225359dc11174665832ab25852010bd4db2ddc4bb6af31e4dcbef108569755469d89e58a158

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
324KB

MD5
25d54ae87958c1c13bc2c53ddfade2a0

SHA1
e77cd409454425155e32587f6975080e70266b12

SHA256
fb3a7ccbcb69416d1eee2bacb5cb89b6a9f1377ad7b68f09bc2d0c96a4e58d74

SHA512
ffee1a03301e4cab45e61b1c06139aca82c77f43469f46f31f204a561c1d3cf6547334ad9e0f2291d2a9ded7e9728d1fdf6e2e3659ea33205a7052bb0f6e44d5

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
324KB

MD5
113b3c48a32fe9fd7028a712c5176108

SHA1
f06e7b52924e4898a0f6f4ae052b0d3569a3b0af

SHA256
4131c236ff37d97115013164ab9657bc4b91c25facd3130b9ff527b1859a59a0

SHA512
d92296fc9c8d4a5ac1f76fe550bd4cb19d17ce39e7d5799242023704df90fc6e06fdf2a79b973474e01b51e3d1edc8e48fb91753e641dffd0740fec1d3825937

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
324KB

MD5
8e27175f5531a0ce030781beed7b699d

SHA1
de37dcf2a1d03ebb05d25452660baacb8859f074

SHA256
57e0051ca53df555b4c32bc24c09cfcb11a7d4f34d478938e5ea5b4a5618d728

SHA512
9caea8869c52eddbcfefffbc692083aa96c0ecb2959e3d73e048a5aa1a19c6a5ede07a9dda1118d6c1bd63e8b59081d0f35b1058ae103fbc18973d2ecf0c56f4

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
324KB

MD5
8ab5350dc6db71a952f6d9dcfec07996

SHA1
9c858f1c9dc0f837fd58b3c003989b6b4141550f

SHA256
097699f33bf084cebf218a6dd9c47ba2422c0b83126b43e1c3f0b31481c8a493

SHA512
0a1626866cc4f2f0bef420ae57684fb18dcb89c78235858201b9d410a4bbe44f3076ff21f3837655e56ff84c9a2c4397abca02c6684395695febcb3ef29f0f61

Download Submit
memory/64-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/424-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4100-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-1000-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-997-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5264-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5272-939-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5352-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5396-990-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5396-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5440-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5480-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5564-954-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5880-928-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6012-967-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6088-926-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads