32789352c5681ce4339e23d05fb0d6d45364b863aa303ec6ec0179f88475213c

Analysis

max time kernel
132s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe
Size

96KB
MD5

87c2e5f388d4135deb51d4084a934540
SHA1

0980c74f0ce1a80494284ba5dbe578db928f4d48
SHA256

32789352c5681ce4339e23d05fb0d6d45364b863aa303ec6ec0179f88475213c
SHA512

11f01dc6d3940eb0bb61d45349d0099cecb4676f94d7fda7629b30731d4c273e13b3c1eb4b3efb16b5d12b6b01e43c052924c025f0abc48151d41ccc5af0afd2
SSDEEP

1536:ds5rPdHbJgkBV4czB/wl+Yu57irSr/CD5+c+wKS6jTOrd2d/TdNzfW8cKZSvahry:IrFHFRBV4sB/wlHu5mrw/a5EPdjyrd2U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe

Executes dropped EXE 64 IoCs

pid	Process
2128	Gfnnlffc.exe
4136	Gmhfhp32.exe
4768	Gogbdl32.exe
2140	Gbenqg32.exe
1524	Giofnacd.exe
1528	Gqfooodg.exe
1012	Gbgkfg32.exe
1984	Giacca32.exe
4120	Gqikdn32.exe
2716	Gbjhlfhb.exe
1164	Gidphq32.exe
3392	Gpnhekgl.exe
4472	Gbldaffp.exe
552	Gifmnpnl.exe
4896	Gppekj32.exe
2508	Hfjmgdlf.exe
5080	Hihicplj.exe
1232	Hapaemll.exe
1512	Hbanme32.exe
4728	Hikfip32.exe
1564	Hpenfjad.exe
740	Hfofbd32.exe
3244	Himcoo32.exe
4504	Hadkpm32.exe
4520	Hccglh32.exe
4708	Hfachc32.exe
3104	Hmklen32.exe
2900	Hcedaheh.exe
2380	Hfcpncdk.exe
2560	Haidklda.exe
1336	Icgqggce.exe
4352	Iidipnal.exe
4268	Icjmmg32.exe
2348	Ifhiib32.exe
64	Iiffen32.exe
2304	Ipqnahgf.exe
1328	Ibojncfj.exe
2804	Iiibkn32.exe
4512	Ipckgh32.exe
2916	Ibagcc32.exe
1096	Iikopmkd.exe
4960	Ipegmg32.exe
4792	Ibccic32.exe
3544	Iinlemia.exe
1632	Jaedgjjd.exe
1516	Jdcpcf32.exe
4752	Jfaloa32.exe
4072	Jiphkm32.exe
1348	Jpjqhgol.exe
4212	Jdemhe32.exe
2360	Jfdida32.exe
5004	Jmnaakne.exe
2396	Jaimbj32.exe
4368	Jbkjjblm.exe
4040	Jfffjqdf.exe
1676	Jidbflcj.exe
2020	Jpojcf32.exe
2328	Jbmfoa32.exe
4184	Jfhbppbc.exe
4872	Jigollag.exe
5036	Jmbklj32.exe
5000	Jpaghf32.exe
2324	Jbocea32.exe
2428	Jiikak32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Giofnacd.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6192	5772	WerFault.exe	223

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2128	4864	87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe	82
PID 4864 wrote to memory of 2128	4864	87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe	82
PID 4864 wrote to memory of 2128	4864	87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe	82
PID 2128 wrote to memory of 4136	2128	Gfnnlffc.exe	83
PID 2128 wrote to memory of 4136	2128	Gfnnlffc.exe	83
PID 2128 wrote to memory of 4136	2128	Gfnnlffc.exe	83
PID 4136 wrote to memory of 4768	4136	Gmhfhp32.exe	84
PID 4136 wrote to memory of 4768	4136	Gmhfhp32.exe	84
PID 4136 wrote to memory of 4768	4136	Gmhfhp32.exe	84
PID 4768 wrote to memory of 2140	4768	Gogbdl32.exe	85
PID 4768 wrote to memory of 2140	4768	Gogbdl32.exe	85
PID 4768 wrote to memory of 2140	4768	Gogbdl32.exe	85
PID 2140 wrote to memory of 1524	2140	Gbenqg32.exe	86
PID 2140 wrote to memory of 1524	2140	Gbenqg32.exe	86
PID 2140 wrote to memory of 1524	2140	Gbenqg32.exe	86
PID 1524 wrote to memory of 1528	1524	Giofnacd.exe	87
PID 1524 wrote to memory of 1528	1524	Giofnacd.exe	87
PID 1524 wrote to memory of 1528	1524	Giofnacd.exe	87
PID 1528 wrote to memory of 1012	1528	Gqfooodg.exe	88
PID 1528 wrote to memory of 1012	1528	Gqfooodg.exe	88
PID 1528 wrote to memory of 1012	1528	Gqfooodg.exe	88
PID 1012 wrote to memory of 1984	1012	Gbgkfg32.exe	89
PID 1012 wrote to memory of 1984	1012	Gbgkfg32.exe	89
PID 1012 wrote to memory of 1984	1012	Gbgkfg32.exe	89
PID 1984 wrote to memory of 4120	1984	Giacca32.exe	90
PID 1984 wrote to memory of 4120	1984	Giacca32.exe	90
PID 1984 wrote to memory of 4120	1984	Giacca32.exe	90
PID 4120 wrote to memory of 2716	4120	Gqikdn32.exe	91
PID 4120 wrote to memory of 2716	4120	Gqikdn32.exe	91
PID 4120 wrote to memory of 2716	4120	Gqikdn32.exe	91
PID 2716 wrote to memory of 1164	2716	Gbjhlfhb.exe	92
PID 2716 wrote to memory of 1164	2716	Gbjhlfhb.exe	92
PID 2716 wrote to memory of 1164	2716	Gbjhlfhb.exe	92
PID 1164 wrote to memory of 3392	1164	Gidphq32.exe	93
PID 1164 wrote to memory of 3392	1164	Gidphq32.exe	93
PID 1164 wrote to memory of 3392	1164	Gidphq32.exe	93
PID 3392 wrote to memory of 4472	3392	Gpnhekgl.exe	94
PID 3392 wrote to memory of 4472	3392	Gpnhekgl.exe	94
PID 3392 wrote to memory of 4472	3392	Gpnhekgl.exe	94
PID 4472 wrote to memory of 552	4472	Gbldaffp.exe	95
PID 4472 wrote to memory of 552	4472	Gbldaffp.exe	95
PID 4472 wrote to memory of 552	4472	Gbldaffp.exe	95
PID 552 wrote to memory of 4896	552	Gifmnpnl.exe	96
PID 552 wrote to memory of 4896	552	Gifmnpnl.exe	96
PID 552 wrote to memory of 4896	552	Gifmnpnl.exe	96
PID 4896 wrote to memory of 2508	4896	Gppekj32.exe	97
PID 4896 wrote to memory of 2508	4896	Gppekj32.exe	97
PID 4896 wrote to memory of 2508	4896	Gppekj32.exe	97
PID 2508 wrote to memory of 5080	2508	Hfjmgdlf.exe	98
PID 2508 wrote to memory of 5080	2508	Hfjmgdlf.exe	98
PID 2508 wrote to memory of 5080	2508	Hfjmgdlf.exe	98
PID 5080 wrote to memory of 1232	5080	Hihicplj.exe	99
PID 5080 wrote to memory of 1232	5080	Hihicplj.exe	99
PID 5080 wrote to memory of 1232	5080	Hihicplj.exe	99
PID 1232 wrote to memory of 1512	1232	Hapaemll.exe	100
PID 1232 wrote to memory of 1512	1232	Hapaemll.exe	100
PID 1232 wrote to memory of 1512	1232	Hapaemll.exe	100
PID 1512 wrote to memory of 4728	1512	Hbanme32.exe	101
PID 1512 wrote to memory of 4728	1512	Hbanme32.exe	101
PID 1512 wrote to memory of 4728	1512	Hbanme32.exe	101
PID 4728 wrote to memory of 1564	4728	Hikfip32.exe	102
PID 4728 wrote to memory of 1564	4728	Hikfip32.exe	102
PID 4728 wrote to memory of 1564	4728	Hikfip32.exe	102
PID 1564 wrote to memory of 740	1564	Hpenfjad.exe	103

C:\Users\Admin\AppData\Local\Temp\87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\87c2e5f388d4135deb51d4084a934540_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\Gfnnlffc.exe
  C:\Windows\system32\Gfnnlffc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\Gmhfhp32.exe
    C:\Windows\system32\Gmhfhp32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\Gogbdl32.exe
      C:\Windows\system32\Gogbdl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        25⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        29⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        35⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        39⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        50⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        55⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1612
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        67⤵
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4356
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        71⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2548
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        73⤵
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5016
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        75⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        76⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        77⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        80⤵
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        81⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1220
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4080
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        87⤵
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        88⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        89⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        92⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        96⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        98⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        101⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        102⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        105⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        108⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        109⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        110⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        115⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        116⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        117⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        118⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        121⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        123⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        124⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        126⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        130⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 420
        137⤵
        Program crash
        
        PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5772 -ip 5772
1⤵
PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
96KB

MD5
0a92fe989f15e5abc01e135f627369e4

SHA1
e46c422a12d1b63d3bd6698c88d9d779b0d9a31d

SHA256
abc6148808e4b0f61bb8479e9f67e4a8a43bd32bea84e3b67b883cd2b6969094

SHA512
55243acb8a75e75dda84640c31d4505e990f178220cbf3d9d4ee4080f17e19636612a1d714a38e03184e1f971e45044113f569660168c7b6f9660e916c9c3fd8

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
7773cb25f0df01382fcb5cc5cd7236c8

SHA1
7254277eb6fe1ab58b0bd8530bcd564aa9f3ecb5

SHA256
de3d7f98f2138b98cea613ffce0d3b0c7925de01a65d77c8bfbdca08e2742c6a

SHA512
850e7be6e581c0cf0e9bf8aeb91cbef5cfbe4a6d24274a245b4c1d1a098c739d204efc2f462bf2ee2e1ad23e2880ab0639490ccc5b49a2ac56fbba09f4528742

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
96KB

MD5
f49eeaabfa8357c3cdef47cfcd4fd0be

SHA1
c73ecddc8b1ee12aab3b7b2ab09a677f952edcd4

SHA256
0220d71a62fe3a1ecf7dc525234762a1768e4606156ee243f9e91f03ee4c8368

SHA512
379eacd4b323db1b41d192b38cae0a26fee630d8966657322279219f8974724cbeb6dff2b6721be8cc7101fe778f89ed3959c46f0759c63b0f6cb0f216b25206

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
96KB

MD5
3881443c1a4c6237ed5a8790f83de852

SHA1
7cb69456b731a925e5f0b58db8ff1e823966217a

SHA256
1700a0c50f3f97df42d6ff81f18beecda0dedf97350125dc9c13e1c21a478004

SHA512
3260949616d6d44b71ec4148f05fbd54fe1f2f2c5e6c99783618c5c0c0eaa11718ce1b53efe35a178f8afd5ebb8b2fbb952ca8d0976df9b8bf015b745b783b2b

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
96KB

MD5
ddeadcafc79c44bc824189200dc15137

SHA1
67790991aef9c37f788120fd87891e2e4a9b18c3

SHA256
40c21330b32399161583e4bdba72e56783a5f766ad48e1f26b8c378ad65dd3dc

SHA512
049ca32f5182c0e34b0002f1fa4a61afaf4a52c8af347f841b77dd35375591fafd2aa6ff51d10ad8360b71ab7ee52e1cff6128069b1853957c2e3180b946fd4d

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
96KB

MD5
c7ff4804840dc37da2cb624d07cce1c0

SHA1
1de11c6038d4457b624d2cc9d3e86709bc9d432a

SHA256
e39e70c58800289e4784f37c188b314afe69b1bed548d88bb8d3f3659563d30a

SHA512
ee4fce5de9bda866170727d1b60574246958db75c4e21c2488da672c425fdfe7f5a34e9a7177e28d4666cba0b92d4beb17cd21dcd1dfbecf5cbb558a2fe6e84f

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
96KB

MD5
3b4041a708bb260f99337e10b526312c

SHA1
f52222454ffb7a1efed4f2146763d2f242d13669

SHA256
b488cebb4c38b418c96dbab414c9dc3431902dd8fca6bba2fc371d18868edc02

SHA512
37072d010ab1c122a5b4b37eed20d0b2121029a9e11e0818cbd40b679eabe72de582da4809b8170ecc8c946aadf6eb375f4d843cf4f1a5832b44744e297f190f

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
96KB

MD5
10ecf5da49d5d1d2092781446fffc184

SHA1
37a43aa1cfdeeef217f5641550c794a9cf3f3100

SHA256
c07e2fef14545e246692b11ef0a28f493076030681f1a58c8763209ce512169c

SHA512
118871a3c4764c7b3ab9f77be12cb018948c2b1dfa19ec32b70df98d18dd61528550526ece70cea577cd7840d67971936da80f4e88d6ab998d547a5a653a5eb0

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
96KB

MD5
b234480a898bd81fd24fcc3a55824c2c

SHA1
caab46abb3c80777e1fd76db5b463fc598e02ba3

SHA256
0168e1feb3a281a407ce4f168a6e7484c1f8b214ff49c14111e590201a442c20

SHA512
8a12c165dcb4de8a8c9c4a17c20aa0ec0228f75f092eb8837046f2128fd986ea0bc8d24df4e33bbcdd6dfc3fe210fe7fbdbb525b46fea478dc7af337b6eb1842

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
96KB

MD5
4b942c5f49d86a7c85a739af86217e65

SHA1
20c12629c2358677cde976e65990656cf26e7aea

SHA256
84a8f67fbbae8bc185daebb479984a8cfd1d58a375810c47ff795717301eabc1

SHA512
934e99404ff8b7929951508b1797b11880de728165ee964f0470986a930edea76b0f52c7cd009b5de75c377cebd07f1caf25f418255e38ed1093fbc4333c849f

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
96KB

MD5
5ca453eaafc0d7254f0a41a13d6e8ee3

SHA1
8fece2788f56bf596b6f0f8eebe9d72dea46d0ec

SHA256
85d45e301376f2638348bf8979b72c18646f578bac96a315de8464a4d4f073d7

SHA512
7e3cd5793226286f20c23afc1f393c35b11aaaef7f6a78bbf2206592c1750a490ab2b17ac2cae674d2c94df9962c1db6ef7e9d381c30ffb1394a0528449fdfe5

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
96KB

MD5
eb6ea3bb5cb753293807e6f45501be67

SHA1
2a25e84fa6bc0ba605e7dfaf98d96012a757b6ca

SHA256
8d47ef246cb70d318166c6bde2b0a5cc11ff9539aea549329e66f8fb31177dd0

SHA512
0e256f19b7c32350b5047d82aa02c184ae613bb5b6c5bb24b6000e62de2207eaf13b524af6763f89b15b0b1acc2e2f684089d34d5d7a772b253a1a0e0684a2ad

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
96KB

MD5
5861f35d0d84f5e606b9561230c12981

SHA1
ebef59a6156a586a90df27d4b4eb45da2d3ce1fa

SHA256
21d07f34fc655e6ed34f29d2afc7dd4d66c5ec94dc8f6517fc3202dda8185a50

SHA512
71f206e5168ecffa65e5bddfa1c658e8f96e0976c969a7ffb3abd3815dbafdcf12a7aec1c4606677d865f35992b3bd112bff35503184ebf1ce7d8f68f39a6d5e

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
96KB

MD5
7f54109e6648ceb2651198cbce80d6e4

SHA1
e9596aa11ebe006553bf080cc460b6fcc8621b57

SHA256
4a4fa2bf1a285609f80764a3f10071ca6482467f6f26b56b88027662f8d92489

SHA512
2b2640fc43765c12d33ed9c67e4332b067f4b0d29252cc8a7bacc7f20b15f8c6ff26aa7bbc289354bafa5ea0ffb18ee07f0a322c67edecf523d2b365a36483fe

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
96KB

MD5
a54b82b4af6046e842c19d5d6f1cd65b

SHA1
bf3f0f3f5b879b43bbfa6fb41824106956caad25

SHA256
141e9be79e5c43d18c2427a3c0d694c5b6cfd8a94bc88e752ba618dd67f76676

SHA512
11e9cfb5a0dfda9ddeb193ac214bc1c0f080d06f6d5842ea12e86ac63adf3ea57e844a6ecf564665a2e415cbb9bf36d9b0033b81e881d51616f9ab0bb561f8bf

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
96KB

MD5
b896a4b403019b5d323152829b8d67c8

SHA1
96c8abba0ae8fcb544c45b34083fc58567b5418f

SHA256
c287f4781ce5b4d22d6850d08c964fad9e380b3c524807cf164e2a1fde54dcfe

SHA512
b6d360e28b6404815fea8eaef4c6b54fed54831e8d85b5902d5c53e5502da62ad1f77ca97cf86d5cf8563de04a7861d345faf989b265a20fc50ccdca439cf730

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
96KB

MD5
b5cfc93c7ba08ba816ac004ad1628ff5

SHA1
9e1a6aa5d9fed8a563d24df6eb2f4ed5b582f960

SHA256
55410695c47101141eb0c420ff5e8be3c1de91be0eb33aa8bfafb65a02538df5

SHA512
7e99f3be9c6515c09c602dae80d0d33798d2f91beb2f3aa3e297bf835abbd1331b0d02d9f4d93f2171e08ba26745428d1ab759bce65d342195b67e5e0c92a405

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
96KB

MD5
48c6bfed699c5277f5753294ca5d29f4

SHA1
b0d99bde552df4f71debaa5d83b8dc069b5b4992

SHA256
b716989e781a715b6756468b13c2607aa62a3219299564923b7aefb7ece5caaf

SHA512
67b9fabc540073b3aeeee5140c3bdf3ed62a46f16610c5c238809451e0fe151af2ef55cb45f5f20bd9c83b76138e82e0872b57aadeea50af42df578d785b5604

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
96KB

MD5
270bd364c1f1306b1ff1e8e24c83440d

SHA1
d5fa8b054783ae1aef35ff1104a9ba6a45835bba

SHA256
96c356e7cf1740801c0f7687f03b4311fe246908040ce3a7958708664128c508

SHA512
ade8c6261499941f5463ad13d58807f7fe384114e75da02cccae437fe1f81d9033d225e4515c4146e57d9d39e5dbaf6d98812515346ca80ed953662b89278760

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
96KB

MD5
aa26fd9996053524097ca7288a1fd307

SHA1
e6c739b0d9277ade7cb1977e016566a06f0dac03

SHA256
91aff594481ed479b89502ebfb9b04f21678472f080517da5c065e4cf6ef032c

SHA512
844795bd9997f08f084e0b3b4b0faa911ff9b7fca2b67e099b3c71a05176cabee1de12a2eeef3ac9af9487cf7042aec385dd84cbf20d7ada541ee942a0c6f1d2

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
433c7410d1230af6bc98f8236ad39bfd

SHA1
0b3044c4d944f0903701c545677fca9731132d21

SHA256
c49cdd38b7d4c8e0b5b8903d2907545262fd12004882a13a3376b0c5b04191da

SHA512
cb268a12d00fb8a3768a7a3b167663128caae09fd2c4aa8da0e69bea0480d49df833a01db62cf847b6be6f00a9ba0755d6a2d81c4b24b57c93e17d0eb87a10e3

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
96KB

MD5
eeb3a450783b9e714e863345b8b9f5ea

SHA1
018f5f6658383fb7c2d83d1dee86c1fb98222ec7

SHA256
348fdee101ba673e4a8031040fb39f22f54d73fb6a47f11613ad3f7ea6f50e84

SHA512
f901761f5d154fd651e2bb33d4283af23bf7914db10a95199afa2fb98e4b101c0b2085a0d50fa807fcf5b41915ed4906814c132882ef8dbbc35f8abd34d52db4

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
d668870ac25018372cdcbef78497402a

SHA1
38960cd36322f8a00b19da2ec3ad7cdd4096123b

SHA256
20febbfd598fa6aa3cac7d6bc46b514b3826e964a33a3ade13c2227596ea8bfa

SHA512
14fd4ed089a353d3575080960bbe25e3ad314d78bf5e49b5be3e10e8ff89b23f2ce62e393b93f281af19729be511088307217b61ec6b1d20904082a31b3ccc5c

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
96KB

MD5
3bcd12c43be7b7ecfa3a372c1b8179e9

SHA1
adf89cc128cd7f1ff2dd257de280be362dce8d41

SHA256
3823a614ba65038a4b5a259e75b21e990b1f159d871bbfeb1fc64991fb086b10

SHA512
278c9cfab26f208f0955d46c3b3ccd0110cd32c5a6ff49bb0203b89f06966ca94f2fb7b1b79c5a4ef415edb9489bce941667ae8ef20616a4af03dc0c0dbf92b9

Download Submit
C:\Windows\SysWOW64\Hifqbnpb.dll

Filesize
7KB

MD5
b6e43e2ccf3435b377bdd55a057f0262

SHA1
8a1892dd57f43f6da7d5dc8a6ed49b4fe58ee6ba

SHA256
4e145f3b7045c10f30126a058d439d919bc0f6514fb20943327b8de52f7c0530

SHA512
d5b57cf1507bc29e067acbf74cf5a98597fc12ceb4472dbeeb7687ff0964bba1fd0f5015985c218fa9acb5a6272de98a18b2d2b90a721e99bf36baa3a410c225

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
96KB

MD5
a587a275bcdc5f533304597465713d0a

SHA1
247c2bdfda5a754270a42db7bf43c52d6e70ae09

SHA256
e8d42484353fbb7b035216beb9574437f3a506f949f051059ee6a95d08548fd2

SHA512
175704bd56641171a40feb91939f31c82c73aeeedc7f689b392049a9484c81e01923d94ae268f8059079cc04860d3520f99d0e63b49c41c5871598e2aa2f71af

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
96KB

MD5
4b12d5148e57ba1822ddf2fa4d070ddb

SHA1
818e8073369668ff615acf55f80dbd74be8150c6

SHA256
422b6e3325e69e04e0e0f3265f8105f00453763652c3bedde1297b17a40dd5b2

SHA512
99e52b8429ed9d6edd69047bb8727387dfa8a1083e92d63cb3746b92465bb7780b362cb31f10d43ded3346bae86d0dc4a70a9913c009ef6b7377b7c343db4a7c

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
96KB

MD5
9ebc2a7eac339adf6c4218b3810660e2

SHA1
843eb6f3d6c138987e0855bd365ecfc750ab0c55

SHA256
4c730a53c31e8ab02974c438313d8047f1786338349694e5f296bca1596359cc

SHA512
05b448f5c77bcc9ee9a8101dc444d548b3e76a684434ffcb3373f3183042626911becee51d159a3e068088b95744d238bc3e4af1190eacd156589d74ee002870

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
96KB

MD5
fcb5463a1049725ef3b1c4a502a6a74d

SHA1
e55d95ce0732c6e025bf2e36fbd22a0f56a76e13

SHA256
585551e7d4a8eefafd4197186d8f7907de2e91475ca9c0a29bb59274b65eaef7

SHA512
e506f91d5d465d3bfcf21f16a81f5d81cb30e454e9cf43c7af151c9fbd4cb74c33bc2946a3c137e871acef3b812dec0d8cea50c6213efbd864f880bc776467a2

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
96KB

MD5
9c0561186a8bd967b3ec1f5baaf0c3c1

SHA1
2caeb7855211f2fd3c38135e83bfcbe1ddea04e3

SHA256
2795c832192e32d30ff78021512904dba8c1a1a609b5322aca13dbd0c30681ed

SHA512
d1fc0423de95d13296102c77fa26c7d302678cce677fd2e91acdd36d46ca0555f675a411ec9d1aae808dbfa3b4de8f508e325451d9677474cd07a6928dd14abd

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
96KB

MD5
7d6630922424e16d30bb1cda24f846cf

SHA1
a93cab54ee838fe3bf3af559679e9fb62a0f88f5

SHA256
02f3d6010ebb0d82edf53a9f793e27e62e8190c4b6d6f45e693337e58465f5f8

SHA512
190ac799ade0d01190538e66a7f5cde844287f3809a537ecb2a9ef4003d92ad44238e13253d0e8b8a1292f92841adfde7b06aed7c5723758aa08a1b9f1fa7709

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
96KB

MD5
278dbfa7ad38124d648993dc0ec847b1

SHA1
3a3220a6ecc5bb7206816bc0367266fc0570a4f2

SHA256
3024ef5a65a4904aa284cfee20f6588bc630fa0c79fb380dd37ac3be3233da25

SHA512
13e85003f74e18f4078c5a7addd82c623c263e2830eda24b0ea27c84b0583749d07b7853f8ed0cade828c5575260c1381e48b929f318b291226c0d2219392387

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
96KB

MD5
407ef855406fe97701dca875a8f07704

SHA1
b16b261f90245ddae5964ee7574c2bcc0f8bd150

SHA256
3ba23de7b15da278f62e9d8bdf6276df7c85e7e7990809dd3c31ad204335b441

SHA512
59251665d1586fd90c4032518630954d09c55dc5f203c0fc325f673c44e63ab9e5f71ce2d77661bf52cfbe3a321ddd4b0b26da6a118b977ce364d2a45aff1193

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
96KB

MD5
95aaf76c3c675987390583fe61ccdb57

SHA1
7eb14310db9a7aa8f03bc8d7608941d6f6562246

SHA256
f95fccd9f3f8eb1a064f777134ccc25ba6508aa4dde4762245072666356d16ae

SHA512
df88f2d5f1eaa540a46f0b60c7bc571da01d9f436865462d67cc7c42adb8a059fa561fcc89f2b9c63d8b397de7b7af84b273c1ba49d2c299abcc4f05512b7bab

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
96KB

MD5
25c1a3b0c60b4146fd4d31d8814059d1

SHA1
dd914c06bbbf608f710b31f8c316e6afdd09922f

SHA256
89260c14e51269bfee060774927d31e5b1ba965d3a127d2920be5abc61764232

SHA512
b65f03d3f3032624eceeae6611b91a41f69063fa8c89a7ca78a99a2dd7dbfb5438d95364150ab2b2291f80638e85ca3671d8707e868453b8d18b49f1bfee7697

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
96KB

MD5
2479322e92a7b61001f398f43b76ae45

SHA1
152401a1a23574163a6fc0f61f05597cf96654cc

SHA256
3179eaa8c39bd8e666fb6b0c29fc24c0e7ca343046d3439190640460d60af3cd

SHA512
142418453d05944d46da1d00bde800d97008fc0e7421bc1414206c62859f2351f3a766c34356bbdaf09c7b5af14b83c9efb6fc937b8715868d3d9bc7d767a46c

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
b414f9086428877e2f20e78c3e34d218

SHA1
22fc56e80e356fae0eba40b0967458f206f07c72

SHA256
0a73443d04694851408122945f0cf9d0cfb6098dd3087813edb01a95f90e2ddd

SHA512
8d4ffb2a1b3174c51fca6f72b923e6171420995e694d6ee6de84c3ee4ad0eaf33dbf78c68eb78d744e11ddb68d21e6b9e4b3d2f933e7254b506112ea7f5e4358

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
96KB

MD5
ce42de510e4dc2c09f7d58b2e233dd0d

SHA1
c19a8afe1023e4c6a8c9a9d0033ce7d1f4e8873e

SHA256
81a37db440cec8af5f2ace2b5380de6689aeeb72f0f4fc52b9150b058f567d69

SHA512
50a65e5fa6e91bbd1ac639aa282437b8f0c42f9b839f69e34910b5119770bb3173dfb584b69652704d1baacf7bcc209fb5d14399b6b31c13ed2904ca785933a2

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
96KB

MD5
a2e010c9d98e71eda108da8f3c7e2a4a

SHA1
61a9b3a80e4719bb4f4237f30cb8fb173020d07f

SHA256
71473ebe95b863a1a504cff69e91e1c5d7a386f88c44551ad1f3f57aa142ccd9

SHA512
e492b072748c5a6011464f80033b1c4e2104ad8986c9bed31a535873c5b4d81ae9b9f41220adbcd0befd5cf98fa0cac6ccf98aa2d3b3578c57b76a438cea5b56

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
96KB

MD5
7c05b973b6ecd6e43da2173bee248e84

SHA1
989dce7f4f3fc88303f822866fbefd5ae07039af

SHA256
301a1a16888b41f8895c98a1a1460c3ef94ac3f1c3d70236d9ca11202446e813

SHA512
ffc53074f581f5a23ad9b79ebd131661f70f4766719c07eed438a919ceefa8a35694e351ea56937076b03c5e3f17c6835eba0f4e6375c53e16be85fa192df888

Download Submit
memory/64-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/116-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/824-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1012-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1012-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1096-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1328-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1528-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1528-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2140-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2140-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2900-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3392-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3772-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4120-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4136-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4136-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4268-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads