8308bc4fba08ffb8328685d90c0358c889f6059291d8f6c05bae9413af738194

Analysis

max time kernel
141s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704a41f91ec542d366867a973fb11d60_NeikiAnalytics.exe
Size

80KB
MD5

704a41f91ec542d366867a973fb11d60
SHA1

415e15072a63d5080d8cb69ff986ccd2d0dcaba9
SHA256

8308bc4fba08ffb8328685d90c0358c889f6059291d8f6c05bae9413af738194
SHA512

c17c08ba8b2f1bc43c145bd459537f84725248bdb18e355ac06e0703f5da98d8fdb177c2630da5b342f88931f52e6eda6cda0bb91088197b7ccb5dc95d8a6839
SSDEEP

1536:TOgGEO9BPeeFWUB4WkIjFJsy5qMz/Qf5nYKRQABgRJJ5R2xOSC4BG:3O9B7FWO4xI3sn5nYKeUgrJ5wxO344

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe

Executes dropped EXE 64 IoCs

pid	Process
880	Gogbdl32.exe
4660	Gjlfbd32.exe
3820	Gmkbnp32.exe
4792	Goiojk32.exe
1788	Gjocgdkg.exe
1208	Gqikdn32.exe
4984	Gcggpj32.exe
3340	Gjapmdid.exe
964	Gidphq32.exe
1292	Gqkhjn32.exe
5048	Gcidfi32.exe
5088	Gfhqbe32.exe
4604	Gmaioo32.exe
4708	Hboagf32.exe
3616	Hjfihc32.exe
4536	Hpbaqj32.exe
4896	Hbanme32.exe
1200	Hikfip32.exe
1332	Hpenfjad.exe
1540	Hbckbepg.exe
1856	Hjjbcbqj.exe
2444	Hadkpm32.exe
4804	Hccglh32.exe
3828	Hjmoibog.exe
532	Hippdo32.exe
1108	Hpihai32.exe
1864	Hfcpncdk.exe
4184	Hibljoco.exe
4324	Hmmhjm32.exe
1948	Ijaida32.exe
4608	Iakaql32.exe
1012	Ibmmhdhm.exe
2592	Ijdeiaio.exe
2084	Imbaemhc.exe
4208	Icljbg32.exe
4580	Ijfboafl.exe
5072	Iapjlk32.exe
4624	Idofhfmm.exe
540	Ibagcc32.exe
2464	Imgkql32.exe
548	Iabgaklg.exe
2068	Ijkljp32.exe
804	Imihfl32.exe
3656	Jbfpobpb.exe
3268	Jbhmdbnp.exe
3780	Jmnaakne.exe
4408	Jbkjjblm.exe
1920	Jjbako32.exe
3096	Jaljgidl.exe
4436	Jfhbppbc.exe
4328	Jigollag.exe
4544	Jangmibi.exe
1504	Jdmcidam.exe
3220	Jiikak32.exe
4944	Kpccnefa.exe
2124	Kbapjafe.exe
3824	Kkihknfg.exe
4592	Kacphh32.exe
1044	Kdaldd32.exe
1768	Kgphpo32.exe
2824	Kkkdan32.exe
4420	Kaemnhla.exe
3524	Kdcijcke.exe
4700	Kknafn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	704a41f91ec542d366867a973fb11d60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gjapmdid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6320	6220	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 880	1092	704a41f91ec542d366867a973fb11d60_NeikiAnalytics.exe	83
PID 1092 wrote to memory of 880	1092	704a41f91ec542d366867a973fb11d60_NeikiAnalytics.exe	83
PID 1092 wrote to memory of 880	1092	704a41f91ec542d366867a973fb11d60_NeikiAnalytics.exe	83
PID 880 wrote to memory of 4660	880	Gogbdl32.exe	84
PID 880 wrote to memory of 4660	880	Gogbdl32.exe	84
PID 880 wrote to memory of 4660	880	Gogbdl32.exe	84
PID 4660 wrote to memory of 3820	4660	Gjlfbd32.exe	85
PID 4660 wrote to memory of 3820	4660	Gjlfbd32.exe	85
PID 4660 wrote to memory of 3820	4660	Gjlfbd32.exe	85
PID 3820 wrote to memory of 4792	3820	Gmkbnp32.exe	86
PID 3820 wrote to memory of 4792	3820	Gmkbnp32.exe	86
PID 3820 wrote to memory of 4792	3820	Gmkbnp32.exe	86
PID 4792 wrote to memory of 1788	4792	Goiojk32.exe	87
PID 4792 wrote to memory of 1788	4792	Goiojk32.exe	87
PID 4792 wrote to memory of 1788	4792	Goiojk32.exe	87
PID 1788 wrote to memory of 1208	1788	Gjocgdkg.exe	88
PID 1788 wrote to memory of 1208	1788	Gjocgdkg.exe	88
PID 1788 wrote to memory of 1208	1788	Gjocgdkg.exe	88
PID 1208 wrote to memory of 4984	1208	Gqikdn32.exe	89
PID 1208 wrote to memory of 4984	1208	Gqikdn32.exe	89
PID 1208 wrote to memory of 4984	1208	Gqikdn32.exe	89
PID 4984 wrote to memory of 3340	4984	Gcggpj32.exe	90
PID 4984 wrote to memory of 3340	4984	Gcggpj32.exe	90
PID 4984 wrote to memory of 3340	4984	Gcggpj32.exe	90
PID 3340 wrote to memory of 964	3340	Gjapmdid.exe	91
PID 3340 wrote to memory of 964	3340	Gjapmdid.exe	91
PID 3340 wrote to memory of 964	3340	Gjapmdid.exe	91
PID 964 wrote to memory of 1292	964	Gidphq32.exe	92
PID 964 wrote to memory of 1292	964	Gidphq32.exe	92
PID 964 wrote to memory of 1292	964	Gidphq32.exe	92
PID 1292 wrote to memory of 5048	1292	Gqkhjn32.exe	94
PID 1292 wrote to memory of 5048	1292	Gqkhjn32.exe	94
PID 1292 wrote to memory of 5048	1292	Gqkhjn32.exe	94
PID 5048 wrote to memory of 5088	5048	Gcidfi32.exe	95
PID 5048 wrote to memory of 5088	5048	Gcidfi32.exe	95
PID 5048 wrote to memory of 5088	5048	Gcidfi32.exe	95
PID 5088 wrote to memory of 4604	5088	Gfhqbe32.exe	96
PID 5088 wrote to memory of 4604	5088	Gfhqbe32.exe	96
PID 5088 wrote to memory of 4604	5088	Gfhqbe32.exe	96
PID 4604 wrote to memory of 4708	4604	Gmaioo32.exe	97
PID 4604 wrote to memory of 4708	4604	Gmaioo32.exe	97
PID 4604 wrote to memory of 4708	4604	Gmaioo32.exe	97
PID 4708 wrote to memory of 3616	4708	Hboagf32.exe	98
PID 4708 wrote to memory of 3616	4708	Hboagf32.exe	98
PID 4708 wrote to memory of 3616	4708	Hboagf32.exe	98
PID 3616 wrote to memory of 4536	3616	Hjfihc32.exe	100
PID 3616 wrote to memory of 4536	3616	Hjfihc32.exe	100
PID 3616 wrote to memory of 4536	3616	Hjfihc32.exe	100
PID 4536 wrote to memory of 4896	4536	Hpbaqj32.exe	101
PID 4536 wrote to memory of 4896	4536	Hpbaqj32.exe	101
PID 4536 wrote to memory of 4896	4536	Hpbaqj32.exe	101
PID 4896 wrote to memory of 1200	4896	Hbanme32.exe	102
PID 4896 wrote to memory of 1200	4896	Hbanme32.exe	102
PID 4896 wrote to memory of 1200	4896	Hbanme32.exe	102
PID 1200 wrote to memory of 1332	1200	Hikfip32.exe	103
PID 1200 wrote to memory of 1332	1200	Hikfip32.exe	103
PID 1200 wrote to memory of 1332	1200	Hikfip32.exe	103
PID 1332 wrote to memory of 1540	1332	Hpenfjad.exe	104
PID 1332 wrote to memory of 1540	1332	Hpenfjad.exe	104
PID 1332 wrote to memory of 1540	1332	Hpenfjad.exe	104
PID 1540 wrote to memory of 1856	1540	Hbckbepg.exe	105
PID 1540 wrote to memory of 1856	1540	Hbckbepg.exe	105
PID 1540 wrote to memory of 1856	1540	Hbckbepg.exe	105
PID 1856 wrote to memory of 2444	1856	Hjjbcbqj.exe	106

C:\Users\Admin\AppData\Local\Temp\704a41f91ec542d366867a973fb11d60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\704a41f91ec542d366867a973fb11d60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\Gogbdl32.exe
  C:\Windows\system32\Gogbdl32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\Gjlfbd32.exe
    C:\Windows\system32\Gjlfbd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\Gmkbnp32.exe
      C:\Windows\system32\Gmkbnp32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        25⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        32⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        35⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        37⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        42⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        43⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        53⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        66⤵
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        68⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        71⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4904
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1528
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        75⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        76⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        77⤵
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        79⤵
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        82⤵
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2916
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1004
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        85⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        86⤵
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        87⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        91⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        93⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        99⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        100⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        103⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        106⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        107⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        108⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        114⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        117⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        121⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        122⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        124⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        126⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        128⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        131⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        133⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        134⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        135⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        136⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 412
        141⤵
        Program crash
        
        PID:6320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6220 -ip 6220
1⤵
PID:6296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
80KB

MD5
ed36c41451bdb1d86f41491d9c739943

SHA1
8d427f038175ec24e644ab44a507dcdcda7a94e3

SHA256
e545eb4ed332ca6284db75ea8d019bcad0c49ee71245d276189639c490856307

SHA512
259e7c095e17922b11dbe10af8aa278bae2389bdc155c52f198cbd8860d172e9149495064062a54ab7163f22266563f4845cdb5b5ee3a6981c2742d5e957f8dd

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
80KB

MD5
53ac99c747429af04f17bdfc6b67771f

SHA1
1ccad87d62d9cfc71f4d6936476f7ef3209dac72

SHA256
65579ba7278244ef24d3447c559f8e0cf667035b11c7cdeea466c54aecacaa11

SHA512
3c32c6e9aa2747eaa0c5c00a3608a9231a3c3bf5be5da815134f0f6863e9cb02af22bf312ab6640ffe63974ba06df210844eca87524824477dafa2c7c33914a2

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
80KB

MD5
e2541689fddb233797baf195d541b3cc

SHA1
b7ea27c0770d804c0cae4f5da1d260cf318bd2cc

SHA256
8173fdea6d6a2faf3ff7d3fefcbab4a44a27964a623e936fbd87fc555d7f8858

SHA512
20d5a01ffec1a165c91ba788499f0bd826a6132d1ae6fb100c079c87e9cb8a9986824a86a12fa108273d6a8842e664265362f15c81e6d34e71a6beb4328ed94d

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
80KB

MD5
16b818b3bd2fd037089b8e6544f641e8

SHA1
8869649fff1256387f4029129d47f703097e13b8

SHA256
dd1fb6a4b94e7b783e2f49f0f171949d0c7f6f670aa470c072798f146dd791f1

SHA512
e943d9d41871eb1493f15d64fed67ee977a789c7f1787922f306253af000bdd9cca44a3064c36fd3b62c4c20307a3e56dcd0539698bf55382284b62107ed798e

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
80KB

MD5
07a677b120a7c6fe250d771faab15e69

SHA1
553596318a9aa965c6f668b58d9261b910410e17

SHA256
67c29787a2050cd8df41288f925eddb3b150b0bcbffa20dc8f55647849c82c70

SHA512
b481b044b31780b942a27d0e42160b260adcc69cbb85701267e29e353486fe14c0ec048d8e9ee210c204cdf6e2e60cb71a662e49163cd1abdc9f0f429ab87e46

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
80KB

MD5
c17141897221fdad36fd5e04f7687d1f

SHA1
bec751100f04e5312ab1af8badb73f4cd6236cf4

SHA256
4b36a97752abdeb1ba3491b5c03b504312b678489c64e53e98adf45b648f09f3

SHA512
7de6a06aa6f1d4606a91379acd7c5a15af90e77b4c45d530fc3316f68484640f6e40cbb93c7adc1a96365ac4bee8877ece5d856415e98b30bce970bff3f22833

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
80KB

MD5
3fa984e8e92f27cbdb69e4af747b3d0b

SHA1
f10285bbe7bdb95300af610a5b00020bab66e240

SHA256
0ee64164393ac689419540c526989e82e9f8e36944e3a56b9aff167cfd6b5307

SHA512
35759573a4cb5ba2293e4c92b735e8ed3c68acfcb4fe84606f5631cb885f81af920e599f4a27ddc4bcc8ec6c73c4cc8c54301f8c51e5622c17240f41c24f9a40

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
80KB

MD5
1afb34e03a3584c1b97292ace2cf9cb7

SHA1
4fb12380f8eafc14c4d6c9184e008faa29f31f85

SHA256
701fd67a159ca1b4750cf6d69c5e8bb429dbe8353c43aba8a77997f42f9b623a

SHA512
ba29650637fc1550b4d08baf805ac2b54881e731e3a4de53e16327e9c36d8b436508ab3b736f80e2c5381aa0fd3c595bc94b7dab49cbba15b4810d1352ac35ff

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
80KB

MD5
d0570b085dd689e354af688cfa85213c

SHA1
a08dfbb03d5508cf75b1cd1d840b92479a9229b4

SHA256
9ca8a9e1fe8102bb996744cb1d672d411c564e4f0fc00321163cfb3ea82bd8d0

SHA512
50a46cfa0a593538ab37915b1280be48ab313b75c1888124c2b63219953b43d22e9c1b00b05acfc296f33b9d7d67889385ed5b6f193b8bbfb1caf3823dba9be4

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
80KB

MD5
97332a1d1ea27ead3581c10b709943cc

SHA1
56e6f1fe500b8dcaa2dcfa73c188d3d725b3fd3a

SHA256
31bcc4a0accd8f30c8559162b7bcdc6053c177f69f2d8392e8a6546aa19f62af

SHA512
bcf2f434e6db88960c0ea7713b6cb5afe8022448d1ba5c50c6ec5c3f5e1b8ababdfc71af84e51bbf8d9bc3caaf8f9c13738430dab429033e806b8d796d706a7c

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
80KB

MD5
6bd2adc84bbe4fd3505e41ce49fdd5ec

SHA1
69a4393acfd3e2526dcc50d0a22f71833bef55be

SHA256
bef4cb303b1fbfad442c4c49223b1d1b3dbb436554ced07c03fa43e02b2cab6b

SHA512
337d930c3edddeecde30e310e9d680fba4af3f7b7a81cd716ca798fda535a5275b2f997691ada64f5c2eab3c6aef1b3224199385b67023991b652ecccf9aa7c1

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
80KB

MD5
6c6e89c5ab56698e2bd96863a8cd78f8

SHA1
ff62f92cea655653bcc44988ef9416fd8c0abeba

SHA256
2addb316f48cb2211d5269fe14a0b7fbe6295bdb033d61cf1b005bdd61ab0a61

SHA512
4b4b33b09d7f4ffc359f0e9f740c7036f76e6fef8a332c90f46cc66b02b993d8cc89f5b463a8fd3d04344455e159df461273484c8de0a0fde0c76daadb16a232

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
80KB

MD5
476a993f8271d445973397a2aa3bde9d

SHA1
eb55cfa898c573c42c800543c5a54b92a824f8d4

SHA256
9b5f04850365b3632ed539f3a13bec7f4933902d415685c634b6be870b608cd2

SHA512
7ed071f68caef92e3f0ee18752ef8f252fdcf1c8fc026e91320f35ff77884f3b9457863a85c7d8288f07da0610e7e14ca7a861b9b9b9ddf0c32a453d0a9323be

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
80KB

MD5
f2dfa6870c94403d02ad7e383265ea49

SHA1
e935a0405d83b107c0181f6e2433682e02679959

SHA256
c729779d52f0f3cabf67b70ffe75f2c2fbb8acec5f1bb54bcd48889ae4f20bb8

SHA512
6be34c3d64c05572325d1d810f38857d87d03de2d933721aa5bc41e5d0a424d48594bf489812b35cc0e9bb7fc5722759267746efc78042a0b61ff194edbd5aa1

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
80KB

MD5
bdce86b439a872d27e0c01404e7302c8

SHA1
a663c7fff12c1c4a8f17222a4fa51189e78a16f2

SHA256
29421c284c576bea555c9ad4cd1582cbfe9e39246018694a221b88928dae1a06

SHA512
d05e9ffe70cae05b032f4d84277b7da94e493f78e959a9265bc52dcf2142df198e2b8785476650f28be76891bef5a5a18340a50217b406febc0c55d29b805784

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
80KB

MD5
67301ca2c2616d7876c96a6e6f206894

SHA1
1364e486b0c4dba54383d3a7fb0b188577e19690

SHA256
659407139957bf2cbd269d1c517010e6f50920abec53e2b5a216b5f4d7deea0d

SHA512
1f3f8236c0d5761c0a8e17c0b0309f681c38252e252d3f1f2cd093758483aa71ceca773297684938a5a764e1e10f3e2975e4ce3ac4d9b1ef91f3d65e142e8e18

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
80KB

MD5
32b66433b0bea27de369877f9bcca85a

SHA1
30b9cb8f2ed9746b107d8ac35677392678de2e83

SHA256
20b8a8506067011814d93a718cee2583c88325dc77be5f7832108d8445ef961c

SHA512
4419bb7ccb9e0d70eca1ecad8c549c7ce6611c0573b5e5b4f19e672b76adfa68f3f3c22a10b3281fbf09c4d35863eb0d71a672bfadd4a40ca9c3463a2a267a8d

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
80KB

MD5
3b494f9ef7f770ab6aef3cbe14228a19

SHA1
5db3e3575e45f11d00354a71e26b28da1999cf6f

SHA256
6d4f1a6904487bd74bf86aab18e0985f9eac6c77bcab0c7ea6d647707e784c02

SHA512
d35e83fb57925d01b6353b8230e82dcc2422ca1dc4555e21f559bdedc3016a8f6ef517d525e711010f8a98e3381a6951ce3ebb4d5001fbcf6a800bead3c053f3

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
80KB

MD5
2aff3175b162c3a2a8cbcd106311fc5e

SHA1
0ceda0488ef97bab8b0be80cf0db3acbf98bb6c9

SHA256
3d6430ade7c4698d1e496bebcadadc41af415aa71c6275089baa8e2df022ce16

SHA512
e66fd9510efc942e2ef4885dcc31cdfeea2cbe985a853d6879befb73233b434bcefecdc64018e8ae77379fd43db8b4ee48711a8f59434f1e3a65524cb84775e7

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
80KB

MD5
df84221c1b0b2cbca4e17e891a04c785

SHA1
104be464a147ba66ee3d2b009cac04c42f8c2501

SHA256
614ac668d1025c8800f6f3e3248ddede789f65e8c161e27c3df3edcd95425c67

SHA512
c5dbd44f2db2ba53adb6401f1d91488e5a6fd24bfbbd01c421edd6d2f609e8d978b21f427bf9f787fcc8503ea303d125d674afde21217a6cf6655e40f30b6a0b

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
80KB

MD5
9020504598f82528e81b4de7b3bde576

SHA1
0cc64eb9aa58f7a0b118f7939beda6bad681b0bc

SHA256
41c4b8d7b97e5defd274fd3c962baf6d5650445433e89d7031ba7ea126c23e5c

SHA512
55506028ef9e51944ff72e58aa2bdc95f9a0b574e97ad54a24b1ab86739380a2c50f868b57a0855804bf61d5cc7f341ecbceb11c7a6a508ac74b10b81030db14

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
80KB

MD5
45ee31099c88f0756a92a92cb5972b5a

SHA1
3e009cc1cc46b1dc5b17d766823fd76f626ce5a0

SHA256
e77a7d20571909d02ba0e6923dc6c3937708878edbba7dd0334f2347a33d3faf

SHA512
4c451eca2fd5adf72f3023e01761d1a686b0bc3d3a5878f9f6203efa4244c046d4056d0da4b63f1ca05cb3926cb14f3629b8903095ebadcdc5466ca8a2eaf05c

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
80KB

MD5
f83c2de2b3a6fe9b0c749a7d29d886c3

SHA1
90af9f253851d8532e9cb039ab1127587931b777

SHA256
f40b2f34b4331f94334f229c257156ece0bb7b657027df422ddf07c4fb6bfc2a

SHA512
6d57b2bb17b28f6ca743a96efe7e51ec9895e3bcf2ee4b0744b748f847579eb13f0d5b4d95be2fd8801f7b4cc72e6acb324237f03eb96527e188ce35297374ad

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
80KB

MD5
26d25a1c6221ea7e4eb4419bc3fa85fe

SHA1
253c8e017fe1029a291f862438cd615b2968de1d

SHA256
56671fdf2451dfa65c4ca7d9a2ebf4c8b57df492683a84f45f886db3b02b8ce0

SHA512
48fb03d640c724ad7e0f62554afac144fc4932f6b29226e3012ff486e110874ad79081365e0422b00b6902ccc11fd7139e6583ded53c7a136118668a67649e71

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
80KB

MD5
b53fbc9a2f056f9bdca67272614564be

SHA1
16757194a02fbc12b1a80415708563fef53c1051

SHA256
c095b293c5a9c8aa9e2a2bbae9ad0e4f46a16d9b965e86f6deaa7ec9eaf8a09f

SHA512
724a77655f25f4c9d19039dbe3e10282d6bfbd9a7e4ba22aa3c42c754250d697572b7f2db55dad2b2d129ae0f530f203a5679e2b3ee41a2e6d79494e9b13eacf

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
80KB

MD5
4ed50636d6e7296e2218e5c9bb61e533

SHA1
154c45518d4a09e21404c649782e5a48f82a334d

SHA256
eb9ef960fca726d6026727edbd13a7997eb3f088141672a75bb6272276fb6ce0

SHA512
c0f4f6de3dd11a62228224f7603941b6ed0ecfff9c8a605f67a023d8d9ef724c6dc1f452b554759dda15d615482bb0c0405bfff8216ee7db4b82f2ebd1daeea0

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
80KB

MD5
0f402fcc1a8addd47479d376c6923b5c

SHA1
d7f71389371ed2eb0b4e1dbd44df564aa1377a9b

SHA256
cea6bff2c9ea9f1a3fd8ca76157ba75d28767fefa4881ed6e25baadd24001663

SHA512
3894a10deabfcc0323120e4c7716963ec065afe8cc1bc08ec79b7a63e44beac6405a5d7c81153144c2021c81fbce872d17b04169448ab6af2f68627f36874393

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
80KB

MD5
d2a763d27430e34d42602725873337e7

SHA1
8e306248be08e34d33031540706807ddd654eeae

SHA256
d06816bb23e6d7f1e934db3914dda006fb5859355d63c92e816df471da92d521

SHA512
62422087f3bcbf042db39fee0cb2ea1fd8f883cc1db4e2ce56ecf3979f91da2b81db65d1230893aeba45c539bb87e75fbda9266403ea7447195951478d480ee3

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
80KB

MD5
3f2b6c4a8c966c59dffdb920c40be9f8

SHA1
7bceb20fda7c9ba874fe8b56b1bfd49427cac56a

SHA256
b5ff98a3bfd6f0e9c255c2b2ab1026384af58d84612178bb0d18f5bf64044c84

SHA512
577c16eb11487642f57be0e46c76f8727dcf9defc3d3288d05c6d171c63395b7312bfac8e7a67b4dd00626dbe9deb9ef74df7dfa288b6796b5f1b4651000f41a

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
80KB

MD5
c3817eac1c2858bc77780b8936e0f02c

SHA1
062ad3657d23ea69f4cb5428a676665079adf155

SHA256
b4dd44b660f15f60beddc228678457ee00d2a203928aceee097b196adc50fd54

SHA512
1b6cf017602a92e6fd5cb99ae1a3067fe61feafa94dad2a2c54bb50d729f4a8bb0a480832623bf4b82b424534dc13cd040b86a935f585bad02543f6f3419f3e6

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
80KB

MD5
c591031125eb159528fac04e1fab5897

SHA1
215c60885a303a07a18c7d7a6c53fb7026431620

SHA256
531ea7f54fedfcde5ab7ede1c9a5ffb7b7731ad137a4441ac44f0d7e8612d88f

SHA512
2205eb81985e8ef7691f8d6b48c9b5538c1d3af8dd72806069f2e97ff69d8ccc4291bb6e7e9e311f6ab2fba27f0e091304b30324e446052460f7a63dc02d911f

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
80KB

MD5
8581d1681f4ffe84f4a72bbff0d207c1

SHA1
1402b5ddcdf2c214003ac5ff8b3e49bcac17970d

SHA256
6f933a1c3f010c8817271afd8a0b160f35f4019b06c7544c5d1c9e1ea6e66688

SHA512
6fc1cae31902a51e3113411789e568152f9f102801a426d57ec149f367f321fe928d7125ed422fcfc35a45c5ff60060f08896f1b3e9e0188fc1edb82c77c2200

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
80KB

MD5
f1f6c98e58fc47468700fb9fb4c2002c

SHA1
dd6666ea1dba60c64824087c0d0dab23fa61669f

SHA256
3a17d8d1b05570d9330b307fd76acdf4609e1a878c3097f420cf824e0d893eff

SHA512
93111b5c2e2c9ebc0f48ddf3a61dc50a0e58d62221833291b5f7f13d5c5f3dd7664c9d0b143e73e6cbc1c6dc3aa3f951bca832e54aa5656c4f5bf72878c89a68

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
80KB

MD5
3f9679253a5cb807baeb63471945e6b4

SHA1
481dcd3c1218c153b033271b2feedfde91fe8fbf

SHA256
56f4af66a727373c45c8bda2219735695f2d7ce9cf0a019e4d16c305fb91629c

SHA512
dc15b4d9d141d6e2d0f9a0de4bc1d0387030a17d00a881c04fd91df3e973a49ce0290f0cbfcd58633fdaeb9aca1dc26fd93659fd56a85804f4ee7908d19a9a45

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
80KB

MD5
d77d8df533b4746c86214bdc9579442e

SHA1
4562ca99faa29f792e63a0e5580d63f95b0505ac

SHA256
670db392aa1443c02b2193f3a7db7cd2c8d30dc86b538523bc4b2f4b1dde8049

SHA512
859083411a1c1cc03f78adc760f6e43ca963caeaf4fdd022f613fe3af72eafd7b6d01cf5779e45c0dcba04919c0ed94cd85448d79eca39878965859bbedc2ef2

Download Submit
C:\Windows\SysWOW64\Lolncpam.dll

Filesize
7KB

MD5
3f96c4a185a71200cfd3495e436a7dcb

SHA1
7745e596deae792fe455551990a933867d890f86

SHA256
0fd7ba11e00ee1c903bd42397048cfffd1c99bb93e936fe0c5c3773405b10399

SHA512
30b663e471a3ccbee641d3b07106f78aa8c418fa9ba0b55742bb89530e867cef330406aa96444e8622cdae94bac8dcb38c61470d9c3b077af7a1d3420472e83f

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
80KB

MD5
018b88f16f983a684ca8b99e56429475

SHA1
105d10493638a38d46f513ac00db2ce5395d3421

SHA256
03a88a9074a6162620a2cc51c49bfa05a240b70b8a5badf6d5423e6372b03f76

SHA512
026301ceef52e58a5d874afcc94e918d573ecae8bae4a7afc050defe9984828ab47841d67686cf0865ddfed52227bebaaab940aa232b356fb50c24775d1e3777

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
80KB

MD5
feba527cb62195476050628683408f4e

SHA1
dbdb9ae4de95f85117fdb3f231e9501aca2db56d

SHA256
43d4448aa44f46376ee9a66dab563b0be1fc69b295acd2900b7f5020374cb6d4

SHA512
ca99eb06a14668f6b877132e691cb30f60695bd575c646f936ad690681df5c710fbfcf93f8a1043c810070ad8f8b76f4d4758ef704b644972ce6e02555318954

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
80KB

MD5
64c0913777375078d69b3ee035fa2f89

SHA1
085c55795a64fbfea9f003c57e0c8e9f7f7536e9

SHA256
07bf21a4dec6baa60924b3510f06c182b88e2a2a88dd714260788dbf6b0edd9a

SHA512
a24c20f4342595d4ecdd4aff35031afc08c38d7f9b38c17e82dc50aeab7f2723cdbec2733342b0a1428714a15bebe7fc9de5a96991d9af1444f18f5642e43c97

Download Submit
memory/532-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/532-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/540-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/540-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/548-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/548-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/804-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/804-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/964-75-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/964-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1108-312-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1108-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-249-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1292-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1292-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1504-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1540-267-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1540-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1856-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1856-180-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1864-245-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-259-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1948-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2068-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-189-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2464-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2464-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2592-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3096-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3220-429-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3268-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3656-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3656-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3780-374-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3820-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3820-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3828-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3828-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4184-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4208-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4208-366-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-325-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4328-409-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4436-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4536-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4536-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4604-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4604-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-319-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4660-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4660-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4708-206-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4708-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4792-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4792-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4804-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4804-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4896-244-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4896-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4984-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4984-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5048-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5048-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5072-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5072-380-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-99-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads