3f1b633a5f645a01a9d987cbbd11495cfb126cbba3bc046532fed1ea7da1ba3f

Analysis

max time kernel
139s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df800fdc7e95e518f6ebe947099c9b70_NeikiAnalytics.exe
Size

80KB
MD5

df800fdc7e95e518f6ebe947099c9b70
SHA1

cb36713c75e7fd3feb6694eb9fe1ad99c481065a
SHA256

3f1b633a5f645a01a9d987cbbd11495cfb126cbba3bc046532fed1ea7da1ba3f
SHA512

cdd3c2c0aa3eae3356edaab68f71ad2f53464f06e9a6346ae9235bacf25d8c7db092beeb5f1d73c3a0de8f58c29f29e9879ecfe127bbf3accb91c93d96755a46
SSDEEP

1536:i9s5Yxh/1bhxHVa39azDfWqdMVrlEFtyb7IYOOqw4Tv:es2BzHUNazTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe

Executes dropped EXE 64 IoCs

pid	Process
3356	Fqaeco32.exe
3732	Gbcakg32.exe
4040	Gimjhafg.exe
668	Gogbdl32.exe
4540	Gbenqg32.exe
4812	Giofnacd.exe
4828	Gqfooodg.exe
5076	Gbgkfg32.exe
732	Giacca32.exe
3988	Gqikdn32.exe
1196	Gbjhlfhb.exe
1028	Gjapmdid.exe
2916	Gqkhjn32.exe
1096	Gbldaffp.exe
3480	Gjclbc32.exe
2496	Gmaioo32.exe
1628	Gppekj32.exe
4884	Hboagf32.exe
988	Hjfihc32.exe
4636	Hapaemll.exe
4952	Hcnnaikp.exe
3636	Hfljmdjc.exe
3256	Hikfip32.exe
5056	Hcqjfh32.exe
2948	Hjjbcbqj.exe
1612	Hmioonpn.exe
2168	Hbeghene.exe
4588	Hjmoibog.exe
4764	Haggelfd.exe
4372	Hbhdmd32.exe
4268	Hjolnb32.exe
3916	Hmmhjm32.exe
2172	Ibjqcd32.exe
2824	Iidipnal.exe
368	Iakaql32.exe
3584	Icjmmg32.exe
1356	Ijdeiaio.exe
4916	Imbaemhc.exe
2600	Iannfk32.exe
3492	Ibojncfj.exe
2812	Ijfboafl.exe
4792	Imdnklfp.exe
4192	Ipckgh32.exe
3900	Idofhfmm.exe
4092	Ifmcdblq.exe
3612	Imgkql32.exe
4072	Ibccic32.exe
1408	Iinlemia.exe
4980	Jpgdbg32.exe
4972	Jbfpobpb.exe
4356	Jjmhppqd.exe
3180	Jiphkm32.exe
3812	Jpjqhgol.exe
4140	Jbhmdbnp.exe
1652	Jjpeepnb.exe
5040	Jibeql32.exe
4692	Jplmmfmi.exe
508	Jbkjjblm.exe
2956	Jjbako32.exe
764	Jmpngk32.exe
2400	Jdjfcecp.exe
740	Jfhbppbc.exe
2924	Jangmibi.exe
3104	Jdmcidam.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Gqfooodg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6692	6600	WerFault.exe	235

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 3356	2692	df800fdc7e95e518f6ebe947099c9b70_NeikiAnalytics.exe	82
PID 2692 wrote to memory of 3356	2692	df800fdc7e95e518f6ebe947099c9b70_NeikiAnalytics.exe	82
PID 2692 wrote to memory of 3356	2692	df800fdc7e95e518f6ebe947099c9b70_NeikiAnalytics.exe	82
PID 3356 wrote to memory of 3732	3356	Fqaeco32.exe	83
PID 3356 wrote to memory of 3732	3356	Fqaeco32.exe	83
PID 3356 wrote to memory of 3732	3356	Fqaeco32.exe	83
PID 3732 wrote to memory of 4040	3732	Gbcakg32.exe	84
PID 3732 wrote to memory of 4040	3732	Gbcakg32.exe	84
PID 3732 wrote to memory of 4040	3732	Gbcakg32.exe	84
PID 4040 wrote to memory of 668	4040	Gimjhafg.exe	85
PID 4040 wrote to memory of 668	4040	Gimjhafg.exe	85
PID 4040 wrote to memory of 668	4040	Gimjhafg.exe	85
PID 668 wrote to memory of 4540	668	Gogbdl32.exe	86
PID 668 wrote to memory of 4540	668	Gogbdl32.exe	86
PID 668 wrote to memory of 4540	668	Gogbdl32.exe	86
PID 4540 wrote to memory of 4812	4540	Gbenqg32.exe	87
PID 4540 wrote to memory of 4812	4540	Gbenqg32.exe	87
PID 4540 wrote to memory of 4812	4540	Gbenqg32.exe	87
PID 4812 wrote to memory of 4828	4812	Giofnacd.exe	88
PID 4812 wrote to memory of 4828	4812	Giofnacd.exe	88
PID 4812 wrote to memory of 4828	4812	Giofnacd.exe	88
PID 4828 wrote to memory of 5076	4828	Gqfooodg.exe	89
PID 4828 wrote to memory of 5076	4828	Gqfooodg.exe	89
PID 4828 wrote to memory of 5076	4828	Gqfooodg.exe	89
PID 5076 wrote to memory of 732	5076	Gbgkfg32.exe	90
PID 5076 wrote to memory of 732	5076	Gbgkfg32.exe	90
PID 5076 wrote to memory of 732	5076	Gbgkfg32.exe	90
PID 732 wrote to memory of 3988	732	Giacca32.exe	91
PID 732 wrote to memory of 3988	732	Giacca32.exe	91
PID 732 wrote to memory of 3988	732	Giacca32.exe	91
PID 3988 wrote to memory of 1196	3988	Gqikdn32.exe	92
PID 3988 wrote to memory of 1196	3988	Gqikdn32.exe	92
PID 3988 wrote to memory of 1196	3988	Gqikdn32.exe	92
PID 1196 wrote to memory of 1028	1196	Gbjhlfhb.exe	93
PID 1196 wrote to memory of 1028	1196	Gbjhlfhb.exe	93
PID 1196 wrote to memory of 1028	1196	Gbjhlfhb.exe	93
PID 1028 wrote to memory of 2916	1028	Gjapmdid.exe	94
PID 1028 wrote to memory of 2916	1028	Gjapmdid.exe	94
PID 1028 wrote to memory of 2916	1028	Gjapmdid.exe	94
PID 2916 wrote to memory of 1096	2916	Gqkhjn32.exe	95
PID 2916 wrote to memory of 1096	2916	Gqkhjn32.exe	95
PID 2916 wrote to memory of 1096	2916	Gqkhjn32.exe	95
PID 1096 wrote to memory of 3480	1096	Gbldaffp.exe	97
PID 1096 wrote to memory of 3480	1096	Gbldaffp.exe	97
PID 1096 wrote to memory of 3480	1096	Gbldaffp.exe	97
PID 3480 wrote to memory of 2496	3480	Gjclbc32.exe	98
PID 3480 wrote to memory of 2496	3480	Gjclbc32.exe	98
PID 3480 wrote to memory of 2496	3480	Gjclbc32.exe	98
PID 2496 wrote to memory of 1628	2496	Gmaioo32.exe	99
PID 2496 wrote to memory of 1628	2496	Gmaioo32.exe	99
PID 2496 wrote to memory of 1628	2496	Gmaioo32.exe	99
PID 1628 wrote to memory of 4884	1628	Gppekj32.exe	100
PID 1628 wrote to memory of 4884	1628	Gppekj32.exe	100
PID 1628 wrote to memory of 4884	1628	Gppekj32.exe	100
PID 4884 wrote to memory of 988	4884	Hboagf32.exe	101
PID 4884 wrote to memory of 988	4884	Hboagf32.exe	101
PID 4884 wrote to memory of 988	4884	Hboagf32.exe	101
PID 988 wrote to memory of 4636	988	Hjfihc32.exe	102
PID 988 wrote to memory of 4636	988	Hjfihc32.exe	102
PID 988 wrote to memory of 4636	988	Hjfihc32.exe	102
PID 4636 wrote to memory of 4952	4636	Hapaemll.exe	103
PID 4636 wrote to memory of 4952	4636	Hapaemll.exe	103
PID 4636 wrote to memory of 4952	4636	Hapaemll.exe	103
PID 4952 wrote to memory of 3636	4952	Hcnnaikp.exe	104

C:\Users\Admin\AppData\Local\Temp\df800fdc7e95e518f6ebe947099c9b70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\df800fdc7e95e518f6ebe947099c9b70_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\Fqaeco32.exe
  C:\Windows\system32\Fqaeco32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\SysWOW64\Gbcakg32.exe
    C:\Windows\system32\Gbcakg32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\SysWOW64\Gimjhafg.exe
      C:\Windows\system32\Gimjhafg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:668
      - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        24⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        28⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        29⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        30⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        39⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        40⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        52⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        53⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        55⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        56⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        57⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        58⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        66⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        69⤵
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        70⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        71⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3960
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        75⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        76⤵
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        78⤵
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        79⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        80⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        81⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3724
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        83⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        85⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        87⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        88⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        92⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        94⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        98⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        99⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        100⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        101⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        103⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        104⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        112⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        113⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        115⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        117⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        120⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        122⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        123⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        125⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        132⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        133⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        135⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        136⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        141⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        142⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        144⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        145⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        146⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 400
        147⤵
        Program crash
        
        PID:6692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6600 -ip 6600
1⤵
PID:6668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
80KB

MD5
57ee858e076a5c6e910922561683e497

SHA1
5a8e00daa9997d6e17b576773f19fc4b487c892d

SHA256
7866c22bdd13cc2c97cf36fafe137e3ac8d31c6c19ae0bd21e6e9c7b44ae8f67

SHA512
c608da3c8a86c46cb0eb61f38eb930ba506a8f2f17a44dc3ece05cc402f7ee9ed7244ea44fba732849714e91a605bf85dfb9092a30c7155728216cf0524aae14

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
80KB

MD5
dada6c5375e04a749f8c83ce027204d3

SHA1
ababd656205e69095759f655ba2a054565acecb9

SHA256
577bbba252d74d394b6ee98aca7f7f2c53cd921fa6effdcec20371446f400104

SHA512
a26b0c59ad45ea50adb11994bc43b00dcca68571506ebf38e470cc5f5ddb588d908f588ed9d5e37a4cc992004e8e53555f32ea64e3a9d90d6d6acbc7d0082c6c

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
80KB

MD5
538b7e5304962ba88e10fc06ac20a1e1

SHA1
53cfef6d81684a26248621ba41e66237410d8673

SHA256
1ca5453b3f6bcdee2e96f3f2b62743e808d6ad442286a6efeb7420190344546b

SHA512
d72ad7dd440b0149759982cbc166b8db3675440ebe641e0c91fd91087af280401aa7e2a71f1ca7fbaff690c2fd08b580d5f47793861c52e7637419b86be64bd4

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
80KB

MD5
635cee50c4a8af08bba70b6837df8ab0

SHA1
25680dd62deb0baaa2fdfff677dab6835b01a4fb

SHA256
4fcb64a4bdb5f6641795a59034e2c14c8c629c5a685888ba123dad077aadb7aa

SHA512
30d7d42159b9f4fab39953f410fd705c89115d899ed5d1211d00bebcb0ace0104c464daa1a847b1edbe61b50f4593079c9204b3839fa5cd75eb5a40275378179

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
80KB

MD5
94be9e200bcbc17185d27e9e8dddbe1d

SHA1
b3fe83c184867886d8a29477a720af205855200a

SHA256
db14b73883c84712f0faa69c084be879f4a0fac6a95a04f0a50d5a3c85341fa2

SHA512
9ddbc4769542a02a95b847c75962583854fe8dc43624b2df60d304eaa948c69bd3ec23ae433f8c55d3ec17c28752b3beb5157f20df1971d7c2b707c8e97fdce6

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
80KB

MD5
d85c77c5d2a77359167aa0b1aaeab576

SHA1
b874b7bbce26b4461e3221d894faa10b74b67242

SHA256
896bcb5c6c3ab5bea27d60df8d8b5faeb11426ea09696c39ca1cb323a6d82843

SHA512
f3b5aaf263c9edb741821b88eafb84c7460b95d32e2afe00cd373a83decf71da3a490b3bb7202766d8f325ae77e9bf4175728e9df78e859e8a14d48fa7bc8d71

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
80KB

MD5
913cfc8fa68bfae436b31170444295ae

SHA1
b19f47cc5fdbdb30bdc6162cb84ab8dd0c5244fc

SHA256
c009a5d4d5dcf1fabeff1698406e25104b1ca43981a3a01884a666505ab80cc7

SHA512
18876c1c83262ad29aaf3e8fcf6716235189070b34c18901b8b48a3886d033e6e54a99db4448d1972a8b61864e703f33d109dbfc1003c404a4d5189ea8ef9010

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
80KB

MD5
3d949cddf5fd27cf9c3bb87f620800d8

SHA1
eaec855e053ab10761c84c382df9236b3469560c

SHA256
fed36bae01dff252f4e0ff4adf1488c6e2c1e251d4db33324132012f32be5d49

SHA512
67a9f1b702c269073a963e5c8d8d4101fd893d7ea1e9a3c1abd66da23f5e8f9e780de26bf97687798b35870824286d146cbe189a9aac462e018b5bfe5b9c049b

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
80KB

MD5
98f6d37d35e50aa705aed954daba5765

SHA1
a99846b918a8daeef9632f9c68e321911f11c4b7

SHA256
f9a14bb55099b13aeff48789849342e586ee93ee2f877a770faebcda4357379d

SHA512
cc24f034768da7aafc8b69d10ed73c0fa299160c2e9add150164029ca6c31a0bb586ce99d9c316c737543e069151f0d372213c17247769d4865402e80369eb0d

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
80KB

MD5
8c1e8f86190a5f47a4402ae446b6d471

SHA1
80a803bea8045fc922afdbb73fd8333ae8010ebc

SHA256
16b66b687d4a89bf9d3514dd438ed1cb0df00c742814a451e827d3065d37efb9

SHA512
d239e4628900b5ded4c50f29c70c536afa696e379c1e29fb6e3324acee5d858ebc1327c00f4274d2c81799e8d28b99ad1cb78ab717520a5887d3e8476ac8f40d

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
80KB

MD5
eca5bbd8083ce799dd8c4588bb3fe2ac

SHA1
97ba4ce969c73f657c023897602af858ff19ea97

SHA256
1ed5f075839066dba625dbe1cfd792b8c26685996b0807053c751970345bcfe6

SHA512
dd16fc67726f2d248133c842e15f37acec4ad24779e63975a025eb2bbab6d8a342babaecb27b70e5fe4ebf7f39641acbee35193d7d5448d3c5358ed9d60aaa9c

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
80KB

MD5
d8a979c59a100ef669e269a6856a5f84

SHA1
08b9c8c8903dc82ef2f0dde166f620392267f6fc

SHA256
1eb141ef2e2cedf02a524e5fb86bed7bae90e7c9e3cda7c26567ca0eef1438a5

SHA512
c54fe406af14fca4fff5d2834517576cf1c0bd102edee8db7d30e4ac84d5b6e66b6589ddb36a5b7f47287322532b4b69b713ffc84b7b4692dad956d6d3706e50

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
80KB

MD5
0f1ed9121bc0ad81dd814c12ebde5c9f

SHA1
b88da4141416574c76d057ef0a9da7fade39ff51

SHA256
e951f087bd11b0691f4e22fafc40eabf4e436fa0678b49fd28fb119ff8c98f24

SHA512
ce048a799debf9d6fbbe161830c58c42e0d46d7c764ffbb9203940edb581dd82e3c8a6dcbfd9ccd10573a53b6ede0cf2ff8c627e0d45575bfbe98f8dddd50b4d

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
80KB

MD5
eb180e8caa953feb95f9f11bdf042264

SHA1
ce1f375e35fe54c46f539aac0482fd059f81d0cc

SHA256
8cc3d3c566e61864623239d9adc0547e734b69bc74fd789a14fabf6b25fb7921

SHA512
5866b6d821fa217fc152d14bda318da1a43fa3e8ec7834dc818eab0f327eae823f14cf2da494fbb6a3226d77c0ada81f1e670ff49f96cc1c1a139e3eef91a59a

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
80KB

MD5
b6f595b6cdc33c7de0b0723c8c43ca57

SHA1
46263637e1db2d389233d21d57b329ce00377322

SHA256
8526f7b2c1d807ac3e09751b38e5706c560eff7594611200f442d7272ba3e2ab

SHA512
ed6c01973e00a8a982f8419728f97718e0e62e1792a24fbc1a692a1151510d0bf9bc23f34162b90833e2b1d4b6751ea9a214ef7873c3b9a76301b0767468f912

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
80KB

MD5
0dbc66ab69190d807a4454d9c19da28b

SHA1
0e709a54e27712ca4e8cd884ced778c898a2b704

SHA256
d1167dc45642e6fd7c30bb29e08896f1ba83c2d3631846831e24cc0028013992

SHA512
ef24f800fb67e7796102707f57f203f89a916577b29c654d093290a9a940bd00cc7cbd7f8097cd9f20405903750190dc32113d3110b4842ba981620aab3506d9

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
80KB

MD5
e7148245fe39a037d439d75230a8cbbf

SHA1
59ae9d7b66f12828f0b102d0cc19e439f0f6d0fc

SHA256
427843a6e91f32bbe24fa5c1c7db4a7e115cdbd9c9c6e0596c02705ea8d00123

SHA512
de1d5b0a5a4ecd2f9035abdedaca586cb93c7ea22fd5ac23a8c598ba321e97d1d34e2e13084696edf48d098fc2d4821035495c5f3e5fc1adc6bd919c34a722c2

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
80KB

MD5
f5abf63b998f65ee4082396d83bf104c

SHA1
ed64a323a43260f73b236eff7f7217da1c475717

SHA256
4e5b7bdb6e829bebb2fef576c7b53a05e198baa85882f6558143d972e6780589

SHA512
a8834e365e4a11ca1574386edb31750245c03dd7ae61d3c62a7eadda2835cda0f58e313911a178c02a1af7c91f372b97beb12411ee6e9b375e0a28235abb3c16

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
80KB

MD5
9a2b67b563b8665419f19201c4418455

SHA1
1d94ad2311c73d13b93caeb9cdea578882cb0e63

SHA256
5e870c36d8da9b43d7de183f395fb059d5f5dc68e4e81fe7c9f91163edfc5871

SHA512
68df6afd8240f1cfba457be0d5542757618aacc0a8b8791aa5a0461ce5558adb7d5cc4d7d445420bb573a73722d04b1908a6d829313c6997306b7c521387b0a0

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
80KB

MD5
dfce934585ad40905e4a6a979453b56f

SHA1
a42397591276c7fa0092abef78e9a2152edd71f1

SHA256
38f264eefc177887a3682369192f4a7d3128890c4c8b7b6ff9fa55c9c474ec75

SHA512
ab3ad1b6e27ad5ea5a3ae0594516a372f549b626d0ee326ce7e7523bcdd38dc165bc926b88af9b84dd5537ddd22aa28bd0cf3ffd23a0c7ea8343c20470b91e97

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
80KB

MD5
c3d95a13c8a8aa40a3db92aed7ce329e

SHA1
537bd4b25680f3e364d1e590a8e1424e3902c1d1

SHA256
c27b8675f8b572fc3df5246876785542a3c0af7fcf4644ff61b045854059e57d

SHA512
118db110fae9a422a089ec8dfb9da7e8e86f546dbb84ea4eed9e1338eae1e2427067e69869a1cb8121663556a3f067d8b2b94bc404be6768d4fe3ddcc5eb1c1d

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
80KB

MD5
a3fa5e9347ef008b29126eb80dd48e93

SHA1
080bf540b3fe3d5f8ee9c841f2db8ec82ce17500

SHA256
9f3a64d849f4e1bc87661e35154c6904c87503e7cb151064f7e92cbfcac7b494

SHA512
44ec36b2bcd0d5ac352b61ed6575c729669236b7aac5d3b8c3e619ed5e05b9cdf7feb082ff0ea5be1a6b01b98d59767743d512f2fd9b386cbd7443c6dd0678eb

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
80KB

MD5
92b9c0670c58576c2e9d6948df17e089

SHA1
d1d4bc72b6b672fca32861098a372b8946fde974

SHA256
c400e94e679a185880e18ad4c077ed34f4b96206e1cd120dd9301e365f820acd

SHA512
699c8252b1b54bedd04b2d2a3670b361f4190fffea9909ae0ae0a8f878a29a605ce39cfce7df270a5ebc81971c81e81220d88bcf5014d5151923b33f6a13cb19

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
80KB

MD5
13a48368239fd329aefeaa5d248a1eaa

SHA1
408b9d8edf9eee7323ed4090db63200b74afac19

SHA256
3ca7c28b55eb282efe633d1a2cd0804276c144a2f76c20d6948e36d8abcc7974

SHA512
b941c4f677a4e8fe9e9bd23307db556539ce91bd1be0a1e9989399f0737d76f6c1df276f7f962a1a175bfa688d3e535f43a8ade983e39084ed32c3b354a0c94d

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
80KB

MD5
a72499130b4054f17b09194649714fa8

SHA1
314d70b1dc61f94ecdd9bbb3c048b41bce95d9b2

SHA256
5b66f17e3929937a18b951859a1348bd8583ac9d2a13e535c0a598cc8e5b33ed

SHA512
c949dca380fdcf72e524f596717913cbd186e197736005b7f5d443a7e66a29930d875a8d27655fcc6e0e09adf4193cc09c1c1bb4cb75b8843765c9762c1a13b6

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
80KB

MD5
c714485867fb7eee2255b5e73d5c64f2

SHA1
b21402eaada2a90121b0144016b6f08f5f5f8c4b

SHA256
84bb2c5cbb2c8f32b372defb2dd623d100f92d39785720b4adb3083cbc29e0e9

SHA512
095d282f50ef826519974f32b9b5fdef61cb9635d208b10b279cb8ca529e1a17781ebf01170198c0bc19ad79af126cb5236a94e028eae9ac1a90af80ad7352d1

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
80KB

MD5
428751594668ffd58cf9cbe930227683

SHA1
5e167219a5b3a55cc04aad4b8512478a373942c1

SHA256
68f15befaea4c56c4fab1db34d28b871d566e44ab8fa7fa73fe76c29e92b782b

SHA512
329e39eb5cf08509afb009f869d1084bcf76e2ddcc4bd2ff4a95a127eb647807d88d9b0d4f882ba11c0611e26d8f0f84688c25a9bcf469a33957d555426b8f1b

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
80KB

MD5
cad9c305f106c3dd8ac30ab5942d6a40

SHA1
967521b9d12584aecdc304fca6044a9f4f81fdf0

SHA256
a9d7219b5d1e4c88346979fa4e8e213a0e858a58aad573d5e2e3395fd2324e93

SHA512
bd515fac53612a16b148aa37d0a0ec7fd23bb39241d36c347da2efc028fd70a41be8eaf8d9d7120731357d1cb24d3bf6f205ed3c997d3622a338ae1df0d51e6e

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
80KB

MD5
d293a689cdaacc1397da56fbf8326c59

SHA1
a47cf9981c869219c672c1133882f843e4641d7b

SHA256
155c98bf81303d08eeb150be1ae081c0b9266c4760dba4d5dc07f6dfebaa7b6b

SHA512
419ec23114929f9794b4e9367709485f68f04d83e2589ad3152a80bde993dddd067491aa8a63eea380e72f73e5eaee73c1d62f17f9b4a1f8a470bbd37d28d2f0

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
80KB

MD5
5132c9d49fd6f03faa98434fc088a085

SHA1
0801f00264b4017aa36395610966bee293856e88

SHA256
a29c5fce942443c59f5d016aeb7c2b8d391d75fcf956fdaf0675d1c35947c622

SHA512
f9e9e8a210e1adad824553b8a63656a0b51d01e629ca2d518bdd3fb632127171be9c12c8283833606251c00844838e0ebef3392670b83d5e3cc71c7735117325

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
80KB

MD5
1acad4eca90fe93bbc16f002c789ae61

SHA1
2d38437a6141f6592ad4e6b2674781c7838aefa0

SHA256
3d7e9c4dc5ad5feff30f1ec376c085436eafff76296b6c9e350c20d6188fa8ff

SHA512
a8d63a265a912264b460a5cab44bd0ed2b031640f4d9cbc03435f47f90281ec59f7b8ed8e037301a79832382fa89a6c72cdc70af568c9a1df1e9d6e7988fed30

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
80KB

MD5
57fe63f649051f2cdee8d87008cefe43

SHA1
42c35ae25b5515a9eb97d14e3253dda699059688

SHA256
ac55120cc4e2799afbb94a81f027eaa915d768ec6f514b43a3e3f6fc9f96c1da

SHA512
d88ff8c7f38d2f5ec2591970273ac53d01de5c97d2de3c28b605d402967abb88d677916ac08ef6384560a7e54814ec408869a845a32fb824e67076d7d8a6bf11

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
80KB

MD5
1129dd0fb05d48085758eae31472ce06

SHA1
b091b6a36abaefc5e075b6f486fce25a2c31a4e8

SHA256
68a208a9e2edde307e9f9a8fa2345bb32ed4d1a91651857854a8268242463d5d

SHA512
e34ff0074b4d0691583287711df969929f18e012c0ff6f4f49f9dcb64abd769ec816202e0c24fad49ac77c82f87d3ad380deed27f7cdb1820779662eaf624d93

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
80KB

MD5
4ac5f71a19fb3be88e0262fa0285fc03

SHA1
a222f86a612b51c4c582504e4be6c25fcf7cd0f7

SHA256
b70e884f07e2f5d83c7b60ed1361bf767741e63ef066d883090ab6b9761fd1f8

SHA512
c23f8960e0c77ad9fc672b8cc5f65ed086695969c62c4a403c2642ce1ddd95c34b6a39333a99312b3a8c178d95aa8cfdc07cb6d0aaeb4a464d3e27d6758c8361

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
64KB

MD5
acb3a2bcef07bfcfdb347eafc703c3c5

SHA1
8b7ba0210f738f46bb5adec2ab8971f7b0bd587f

SHA256
70399a7cf0a842332ed3ab3ffdff89f160b5542b5b5b7d019d2bfe6f4b67c296

SHA512
845b6c9c186904cc1e0c90e351a78addae218b21933339955de1f308896e21102bfee88aa138ccd3ebaf3c5c0ca29da7906802a48f83ce0b1d934a1044eef470

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
80KB

MD5
d414567ecf62df67afc0bfa33d04ae9d

SHA1
a770fcef4c3857d89704ae33dc0b0478e13a2083

SHA256
cc49a3f044033a4329e2bade0efd0be0811ca5367f9531bc9651f124ecc44e2c

SHA512
77b13a877c4bc9c691eb1f777c6625416d4a59742ebc41fa0a1c8585fe7f9c7f966e356f8cd276ce30f98c23c3d760204b51510b2aa636d2fd4bcefe835eca81

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
80KB

MD5
b6f02bf44f007f083af22def15aded81

SHA1
a78de50bf01cd34aa1f83f0589f7a54aeae19afa

SHA256
6c303fbfa48d603ab0e838af429d2d17bb403f573018e36e2fc3d0f6f01d1924

SHA512
9d0c259d2abb8c1cc1f04369b314ed550700ccd8497f4f5ec82570188a139e012546dc1c7d94903ec483ffc95cc2b134d18e9ffabd98cb3ad197b555432996bb

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
80KB

MD5
00698c0be300b4499130af1af4190d92

SHA1
23193ac6492c65491de6163f19f8c2cbfc26c1cd

SHA256
ed8a1305a1edd2038d0484fc1cddd92999baaa7a0d4c82c96421f58cc0efce33

SHA512
281f77ca51d6de27c2f7d41528e1487a512f7a7024f35a173984a87038319c3e58f005b7928a6dec28b79248bd61d697f8dbff481b477e54613d2f385a812b4a

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
80KB

MD5
579561883fa62a96e77ea01493574e6b

SHA1
3eaabeb8a1fee4f31ea6f4f21ae66e5abe333a12

SHA256
0a330d96b0961af27c04fa05c83e7730633fafe74269249bdbd7a71fdd4dcced

SHA512
8576e504072d906b4bd4d21f9f4f9c828a58d37048977415f08ce4936ec9362ecbefe29cf3f6e1e1e1e3f95d92274a260d8a4c322ad1d22ec543b381ec043eaa

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
80KB

MD5
eeacccfad40cfb001bf9f3e7a3d6d32b

SHA1
8dcf734cd7711706c6fbd1dc7134ce26afcd86f0

SHA256
e5b036f25df93d605b4fcb1bd3d3207f97b5f0ac22044ee5d2cbbd770a92eb0d

SHA512
c107a19921c16ac77c8809faea17a0244797f7d3bc1460688b5b6ff09436137febfeb19c8f3a0d8159e92fa225fe269b7f8436ae5cb842e96afb5b97c2c42125

Download Submit
memory/368-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/508-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/668-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/668-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/988-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1096-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2692-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3256-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3628-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3732-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3732-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3864-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3900-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-564-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4268-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4824-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4916-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5132-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5184-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5228-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5312-576-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5364-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads