cfc1b93b760d6fb21dc9f201479f52a493e9292824cb50b203c9e74ebe1b88a0

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

060448469cc35678b51bc889d6062300_NeikiAnalytics.exe
Size

128KB
MD5

060448469cc35678b51bc889d6062300
SHA1

448a2da811dffa77686b4237e7d21495c9e4f292
SHA256

cfc1b93b760d6fb21dc9f201479f52a493e9292824cb50b203c9e74ebe1b88a0
SHA512

905f8adb6df6b14f0c084b0dafc8ffdf83a533b3dbe7a0fc30976bafd5a483c4c6bbe1d796aede9a06a99dbf211293d050b9b9d7f58a3bdd1d7e3f3bcd654c33
SSDEEP

3072:FAkt8khF2nQ6Tpym/PwidSX3ReDrFDHZtOgxBOXXH:ukTkQ6tP7dSX3RO5tTDUX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	060448469cc35678b51bc889d6062300_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe

Executes dropped EXE 64 IoCs

pid	Process
3252	Fijmbb32.exe
1588	Fqaeco32.exe
1424	Gbcakg32.exe
1744	Gimjhafg.exe
4196	Gqdbiofi.exe
2552	Gbenqg32.exe
2168	Gjlfbd32.exe
956	Gmkbnp32.exe
3272	Goiojk32.exe
4116	Gbgkfg32.exe
4284	Giacca32.exe
4136	Gpklpkio.exe
5016	Gbjhlfhb.exe
696	Gjapmdid.exe
3540	Gqkhjn32.exe
1608	Gcidfi32.exe
1888	Gbldaffp.exe
1788	Gifmnpnl.exe
3064	Gameonno.exe
4740	Hclakimb.exe
3640	Hfjmgdlf.exe
1816	Hihicplj.exe
3572	Hpbaqj32.exe
2496	Hfljmdjc.exe
2984	Hmfbjnbp.exe
3740	Hpenfjad.exe
3212	Hbckbepg.exe
2000	Hmioonpn.exe
3296	Hadkpm32.exe
4756	Hccglh32.exe
3732	Hjmoibog.exe
3136	Hpihai32.exe
1556	Hbhdmd32.exe
4772	Hjolnb32.exe
208	Hibljoco.exe
936	Haidklda.exe
1876	Icgqggce.exe
4360	Iffmccbi.exe
3304	Iidipnal.exe
4184	Iakaql32.exe
1840	Icjmmg32.exe
2980	Ibmmhdhm.exe
3800	Iiffen32.exe
912	Iannfk32.exe
1672	Icljbg32.exe
2636	Ibojncfj.exe
3324	Iiibkn32.exe
4916	Imdnklfp.exe
3244	Ipckgh32.exe
4928	Ijhodq32.exe
3632	Imgkql32.exe
4920	Iabgaklg.exe
4768	Ibccic32.exe
1016	Ijkljp32.exe
3468	Imihfl32.exe
1088	Jaedgjjd.exe
368	Jdcpcf32.exe
3476	Jbfpobpb.exe
4852	Jiphkm32.exe
1072	Jpjqhgol.exe
2432	Jdemhe32.exe
2064	Jfdida32.exe
4564	Jibeql32.exe
5112	Jaimbj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	060448469cc35678b51bc889d6062300_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5652	5948	WerFault.exe	234

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	060448469cc35678b51bc889d6062300_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hmioonpn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 3252	804	060448469cc35678b51bc889d6062300_NeikiAnalytics.exe	81
PID 804 wrote to memory of 3252	804	060448469cc35678b51bc889d6062300_NeikiAnalytics.exe	81
PID 804 wrote to memory of 3252	804	060448469cc35678b51bc889d6062300_NeikiAnalytics.exe	81
PID 3252 wrote to memory of 1588	3252	Fijmbb32.exe	82
PID 3252 wrote to memory of 1588	3252	Fijmbb32.exe	82
PID 3252 wrote to memory of 1588	3252	Fijmbb32.exe	82
PID 1588 wrote to memory of 1424	1588	Fqaeco32.exe	83
PID 1588 wrote to memory of 1424	1588	Fqaeco32.exe	83
PID 1588 wrote to memory of 1424	1588	Fqaeco32.exe	83
PID 1424 wrote to memory of 1744	1424	Gbcakg32.exe	84
PID 1424 wrote to memory of 1744	1424	Gbcakg32.exe	84
PID 1424 wrote to memory of 1744	1424	Gbcakg32.exe	84
PID 1744 wrote to memory of 4196	1744	Gimjhafg.exe	85
PID 1744 wrote to memory of 4196	1744	Gimjhafg.exe	85
PID 1744 wrote to memory of 4196	1744	Gimjhafg.exe	85
PID 4196 wrote to memory of 2552	4196	Gqdbiofi.exe	86
PID 4196 wrote to memory of 2552	4196	Gqdbiofi.exe	86
PID 4196 wrote to memory of 2552	4196	Gqdbiofi.exe	86
PID 2552 wrote to memory of 2168	2552	Gbenqg32.exe	88
PID 2552 wrote to memory of 2168	2552	Gbenqg32.exe	88
PID 2552 wrote to memory of 2168	2552	Gbenqg32.exe	88
PID 2168 wrote to memory of 956	2168	Gjlfbd32.exe	89
PID 2168 wrote to memory of 956	2168	Gjlfbd32.exe	89
PID 2168 wrote to memory of 956	2168	Gjlfbd32.exe	89
PID 956 wrote to memory of 3272	956	Gmkbnp32.exe	90
PID 956 wrote to memory of 3272	956	Gmkbnp32.exe	90
PID 956 wrote to memory of 3272	956	Gmkbnp32.exe	90
PID 3272 wrote to memory of 4116	3272	Goiojk32.exe	91
PID 3272 wrote to memory of 4116	3272	Goiojk32.exe	91
PID 3272 wrote to memory of 4116	3272	Goiojk32.exe	91
PID 4116 wrote to memory of 4284	4116	Gbgkfg32.exe	92
PID 4116 wrote to memory of 4284	4116	Gbgkfg32.exe	92
PID 4116 wrote to memory of 4284	4116	Gbgkfg32.exe	92
PID 4284 wrote to memory of 4136	4284	Giacca32.exe	94
PID 4284 wrote to memory of 4136	4284	Giacca32.exe	94
PID 4284 wrote to memory of 4136	4284	Giacca32.exe	94
PID 4136 wrote to memory of 5016	4136	Gpklpkio.exe	95
PID 4136 wrote to memory of 5016	4136	Gpklpkio.exe	95
PID 4136 wrote to memory of 5016	4136	Gpklpkio.exe	95
PID 5016 wrote to memory of 696	5016	Gbjhlfhb.exe	96
PID 5016 wrote to memory of 696	5016	Gbjhlfhb.exe	96
PID 5016 wrote to memory of 696	5016	Gbjhlfhb.exe	96
PID 696 wrote to memory of 3540	696	Gjapmdid.exe	97
PID 696 wrote to memory of 3540	696	Gjapmdid.exe	97
PID 696 wrote to memory of 3540	696	Gjapmdid.exe	97
PID 3540 wrote to memory of 1608	3540	Gqkhjn32.exe	98
PID 3540 wrote to memory of 1608	3540	Gqkhjn32.exe	98
PID 3540 wrote to memory of 1608	3540	Gqkhjn32.exe	98
PID 1608 wrote to memory of 1888	1608	Gcidfi32.exe	99
PID 1608 wrote to memory of 1888	1608	Gcidfi32.exe	99
PID 1608 wrote to memory of 1888	1608	Gcidfi32.exe	99
PID 1888 wrote to memory of 1788	1888	Gbldaffp.exe	100
PID 1888 wrote to memory of 1788	1888	Gbldaffp.exe	100
PID 1888 wrote to memory of 1788	1888	Gbldaffp.exe	100
PID 1788 wrote to memory of 3064	1788	Gifmnpnl.exe	101
PID 1788 wrote to memory of 3064	1788	Gifmnpnl.exe	101
PID 1788 wrote to memory of 3064	1788	Gifmnpnl.exe	101
PID 3064 wrote to memory of 4740	3064	Gameonno.exe	103
PID 3064 wrote to memory of 4740	3064	Gameonno.exe	103
PID 3064 wrote to memory of 4740	3064	Gameonno.exe	103
PID 4740 wrote to memory of 3640	4740	Hclakimb.exe	105
PID 4740 wrote to memory of 3640	4740	Hclakimb.exe	105
PID 4740 wrote to memory of 3640	4740	Hclakimb.exe	105
PID 3640 wrote to memory of 1816	3640	Hfjmgdlf.exe	106

C:\Users\Admin\AppData\Local\Temp\060448469cc35678b51bc889d6062300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\060448469cc35678b51bc889d6062300_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\Fijmbb32.exe
  C:\Windows\system32\Fijmbb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\Fqaeco32.exe
    C:\Windows\system32\Fqaeco32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\Gbcakg32.exe
      C:\Windows\system32\Gbcakg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        28⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        33⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        34⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        38⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        41⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        47⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        53⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        57⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        61⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        64⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        68⤵
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        69⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        71⤵
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        73⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1268
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        77⤵
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4456
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        79⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        80⤵
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        81⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        82⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        83⤵
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3268
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        85⤵
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        86⤵
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        87⤵
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        88⤵
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        89⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        90⤵
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        91⤵
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2804
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        93⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        96⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        97⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        98⤵
        
        PID:588
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        99⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        100⤵
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        101⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        107⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        108⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        109⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        112⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        113⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        114⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        116⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        117⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        122⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        123⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        124⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        126⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        128⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        130⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        138⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        139⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        142⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        146⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        147⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 408
        148⤵
        Program crash
        
        PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5948 -ip 5948
1⤵
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
128KB

MD5
dc6ca859f0815d08187ba7003ddaa6c0

SHA1
64766c80df408af097a886c04b56836709cbda97

SHA256
aaa04a79d08281a8dc5c764b3c3178223bd673c2086a7c71de4d3ce651f75492

SHA512
3d9a35bae4d779ed22cfc5a65915cb7eded3d8f9dec3297fe88778ef728d01be7363496d489edc86e44060ed7c062b0e6a0412cb46cb65052485112bf0822823

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
128KB

MD5
95b8d7d743b6d9a213b70b027264e99f

SHA1
b3cc1cddaabea0c7c9a5d68df9c5b78f4468df73

SHA256
b418655962155d7e7347aeff02266c7e3ccb1d135032aadf9dffe62acf082e1f

SHA512
84c639cd7225c4a053b907d887750e6463278aab2a2b73476b503bc57c968de70125563117c37a7e36cf4b60bafeb2992c50b9c912a0cd6673947d73e4cecd34

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
128KB

MD5
f230fe0d1a551bf05938cb0068a6e7ad

SHA1
01bf8715fc33c23f2d61200ebdca940e44c51ed0

SHA256
9a9e7dafd4494cc53a75a1989398ef98361b70689264b1291db781458253cb77

SHA512
161519ebf261e1f950026485e929a7d49967ff51f082d56db4ad854a38afe9fe2b00f577a81a048f8386b3b21dc1cda4b24f7f07384681ac3a031d1e0296b3c3

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
128KB

MD5
3ae756bf6257fa05d6a32208470facb7

SHA1
43e175b52d9014166299520cf6b06ad45706ed96

SHA256
8b3af17104865e74752bf753e37372ceb39e9028c91fec5515c4e9855771b5e4

SHA512
3bd5d5373bfd710ca3f0fe293d006cdcf259d514d565e14a8983583fffb5d8aa8ca99e668656f8ee9ef586f4386a7e1b845f44ccee4e0e82aedd432a56c0b390

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
128KB

MD5
db1b9cc0d1cf93b220f227a68ccb0270

SHA1
b9c0a6eec8dd5721469acb777e407e17ea11f9c6

SHA256
4058e17c56c0685fea5bb523ea12fda64f7f4300f5bad7043e357bfd7584d5d9

SHA512
b24a3f3bab70af7ff2777edba983a89dd6f25e126b6c94749de4d7461faa32379b3b837012664c5ebd292c0ad38e349241215773a84ad2f1237668eaa45c05d6

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
128KB

MD5
ddc6f971d4ec2ffcfe15e354be707ca1

SHA1
15b29d37a80712711b83765b1c373f2a4875f0a8

SHA256
8bf2ae764de909cf30497deaceb7bd0ea3c21a02d0e4635cc4df3ecf433d6fca

SHA512
0a4bae87d0e1669b6a5443d554819c30c36d22f3f7a8b09c940fba4e59fecd9bf6050864cb88a3e0fcde1987e094085d8bf45285194d386b38a748821b6cb97d

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
128KB

MD5
6c5ffa5c6db9568dcc7f9e5c969912ea

SHA1
dd85d7bab1afce093586b0ef8efa1158e53adf6a

SHA256
70635c93b75390cb8b5e644f078cd9434cc4f3cd77e40ef80a1d749aed06f8c9

SHA512
abc9de8f6d557fa5699ea902e0abd7b8b71b6f2a29ce43e293dffd5187c0f747c0958449ff420361aff9bdabe5cbf007bb26d73550577d2aec8fbd9585598fd4

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
128KB

MD5
86f0e7e4a347ec478052b51a875abe4e

SHA1
b3990bf190f09e34932bd723c2ecb8539a058425

SHA256
581c356dca2d097649c6be2defef5d0bf6e3e5616c265c9aac23d98c7248ca6e

SHA512
c5e145cf1807cbfe79a4020dd42c57739427386c0b63aeff96d9f2b7bd98a875396e84ef652c9953815ec00947dd0e81e3baa7c3e47c926951d172b0c6b6be46

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
128KB

MD5
cf473263b047638132a1161bc1ebcb82

SHA1
4f4254ffecab536ad2b62ec2889e50fd90dd11c2

SHA256
cca836f3d8de7dd131a9b1d5208a72ab03cd34dd8fb4e1604ab096a8cf40772c

SHA512
6efc24d99081aaa1feab77220573e29424934c015da389033c058f01829e0a671ecd6455fa7ddf45583ff8c9a45256f64458172ed9b75f6c8e644bbf23d90a8c

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
128KB

MD5
720d2ed3bdd5bc1b43b6e8b9cb2801d1

SHA1
39aba3fab5cf645cbea24acca16227778b3b239a

SHA256
e951600c8a0795e806828de3ab487112e4c0235022fccf70770d4ada3cd9c06f

SHA512
5b3f1528e17a8a4c9107ea7c5dcc724f0153181526d0b5b75874140ea7f6bc426635696e6c56da5490ed579f131a2fad0fdd7dca7b9b590127cfc067352994e7

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
128KB

MD5
5ec935e89cda2233bf0ef567c41baa6c

SHA1
95af5d8adf24e8ff61ab0d04121edaa88ad2a5d8

SHA256
9c5242548359e27fa66d31076fe4633ea4cdf5c2133d9ea47a75ce27adc12e7e

SHA512
f60da2a088ce13197b22b45301a4b21d8dd065e27cdfb63988a3e46915dde3a4cc77a319c37d29b543c5706d5d6f4f07b59211ebb114bc4bbd00f7a969aa6003

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
128KB

MD5
bbc4c48e0d14ea9146eb3d572c230e7d

SHA1
b66c1ab945d09b8c0d9a89af35fa242627064a98

SHA256
dcfe8328e9473fa222c65897e07300f918a3541f01aff9a30c23473964309b5a

SHA512
d07de7834711599c26471b22062e0a53b581037c993bcb0f51162326915710edfc33e02f3f42bc4916831302d05e60d8c4c5b393345be6b1ae95fa69a02b067f

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
128KB

MD5
b275f2e3634f3b2fbf99a080e04c2db7

SHA1
c4db89906bb7864082f75ab9466f687d452aae04

SHA256
df971a6eca50ceb287dc76192904b2be37de160ee523004b1d79d2c7b1356a57

SHA512
250f3514178f3bdffa08ab5ca9ffacfd944c5dd7d5c4c3d0e7f32cd01ff97bbdfd34775bda2c71339d8e47b97ce576fbcc96fc535acee28ace04e0774504411e

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
128KB

MD5
4f307e6c4b3dce771b75d4e323c59219

SHA1
631925c65c92a6fcfe9cd52135464cde4da1f3c3

SHA256
c05805892ae255dac9eb8be083f059def721817f4a09643dc8c36498fb16c1b2

SHA512
80eee4b73286fecace9b04295c0aa3b427ba153f26e4dfd2fc8bd98d88343086405d139d4e06c107c0692c02f612ba7931e817be900b1a3fbec1b9fe38b8f3f4

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
128KB

MD5
5e80d61b34b7a2d5430dd21862c1fbd8

SHA1
9158191e8ddcd61003e181b0542841ad5d0ae6ed

SHA256
59d9f97cd2a4aad7da4503faace18af6100db6fb76a22491c58f354ad8153b42

SHA512
97012433d1192a0ba5a2cf773117c9fbedcb168ea1a7309e2bbbe463288285b6ea273e872a952c18988b97cffcf315c9aa1eb6e7939033bb49b73ae06a352b22

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
128KB

MD5
bbfd7a204e36fc0d1ed75bb1e06b645c

SHA1
03e3c6d44266009faf4f8d8038ec692c48ca236c

SHA256
f364610d56d05e39b746876f0d8c20a6765bd59ecdefc747786d4043ccbfa31e

SHA512
5833646614045c2fc4d8ea90ed64a4992324a83423b400252dddee4614210c3d7a30b4dd6b50c28f96e44f65cad4d0056a5ff07d74693bdb58e954eb1d8ba2b0

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
128KB

MD5
89f4b089e9fbebf7ace8fa7e501a4617

SHA1
4393fc3a6da2a387c71d3778bd18bc65891bb657

SHA256
1707925ebbdf993adb22e03a2564832910eaaa154eb59ae8f82ac251778aca54

SHA512
2c833c56fcafe8d7af1da607040cee3972a89ee6f6d03846f9d2f6dd2212fd4b38c9953956d7cd2afae15d9ed81663b447bac657f5cf8cff71311637e50d0348

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
128KB

MD5
0ca7aa9eb05d5eb80b45aaec8c0965db

SHA1
a44c6948e16db148efb7b76fd363d637a9ab2e25

SHA256
75bd56c253d0d7bad488b384e2a991948729bc134dfa9e63fa3a207edf3275dd

SHA512
3360f80b3cf4462970c38ca3c105efd774d3e3bc4aa569387dad94072c034f1c2b80b43461d1f1683f15c12d09cbf2ba9d42a3f7fdc6170ec85fc0dee38aaf0a

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
128KB

MD5
18c6666eb384f78e58ead7ac2c34909c

SHA1
f7cdcefa504a4632a01cf2499086eeba491b84e2

SHA256
0a9fc85ad10348e8637408349554ecbde21610705d150800818c3734de4e5802

SHA512
09d8de7cbb7fe25d69d0783724d79aad2b8349641acb743c3bfa47c58a9514d08249261297b72da7f78b5c797a42bc2ace2800096b158a064ff386b880890ee3

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
128KB

MD5
f7d05280920cf0d61073dd2a1aae8d80

SHA1
c765289ed457a9dd7723021a9a15f7812a34e28a

SHA256
31437b23b9e076fed2fbd9d642ae4021a04546a5a0ac2a84c12634e22e05fca4

SHA512
9583e082dcca0946bbe9a581f53626ba7d69499d49c2fb6ac77756e6c7bd97cfa7a62c90988ec5e5e4a059186452d3ae7665272d2938b670e8da36e8c5ea8c01

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
128KB

MD5
24ab8f6ea0bc1aa12013e55568f8b184

SHA1
887b430c5fa60a5ccbb11890967a4d12e6dbf8ac

SHA256
dca05a46612c86c7135ba4a6d92fff06fbe9d9a862b4eff03041bc79bbe0ad04

SHA512
4d6b944de6cf9e19a940570b13864e3a908044e1cb39d2148093d9dfecab8f80814177b4e47052e504a99d6120ff45108a4212970b2d5bfe58a7b2ce376c275d

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
128KB

MD5
4bfc3fa23b000646ad1acab3db289cdd

SHA1
26889b0a748ef56e2b607210c1d0b51294207112

SHA256
0f7e2c4343a89af0a04c87ea89fbdc65fb005392598ce0edbf2fc794c47a8315

SHA512
97d05f4c6871a9e5f7ecd1fb26265558dca62e54f60bda68bb5f40d6b852fa1ff9c3326ecf297b660af8ac1aa10697e2dae65aed825e61faa7d64547598cfb37

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
128KB

MD5
f914d86db9402dcb939e8cef787b55db

SHA1
1f512fb3c5e17860f9569e175fc70b737b670fa4

SHA256
55791dbff1bb6bfda5d655f54d2e1a319494ab983ee41b1ecd70acd5de550f52

SHA512
e61228b2ffc9be22879baa56e9691efcda3aecfee5fe826213162e767a3547dae865f2a58793a2e14edb63368de2285f1be86b2f61d883f7702d8ff101baac7b

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
128KB

MD5
45136aba3272381a4014fe1b3558dafe

SHA1
e50f6126a32e96c526db4b4da08dca18e5cb8ce2

SHA256
5fdfc55915ce2fe1b4714cb628d81658336a3421404ed3d3e3d4fff93824a25c

SHA512
7fa8a9082ac7c21e37a8c2aab31e252d129dc79c508538d9fe5cb5bae6c957fc7c1cc15f1e303d4236d1db092de3384c7af6b41d4ab28f7a6542a26fe98d4863

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
128KB

MD5
ab340b395cd5308a2b6294fb964a04f3

SHA1
7cfa336af38d2d9bf1e1538e6c184d8f11492137

SHA256
c4bb2f10e650c753ff93813100cb9f0a19203e6cdaeb8239c8eb30a2e8bd0ae1

SHA512
aa8448ba2eb0329fc264f946633402e2bf80aa30e6d0f51da0b3935fbfb2712e26d360d20fc2ea65e40540b425fee4211d6714d6189190f20fe17b7e7e93572a

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
128KB

MD5
969c30fa9fd68ae3daeb7b1691863a37

SHA1
991c9068aa18d6bf68860a218589c11dac67ea7c

SHA256
a37b3be2223329b068a4b761d9bda58d49fe7ea6b0dbefb978cebec11a5e5df0

SHA512
d0a317ff525ce1af439dcdebcba833a39d45bbb2e5829674264f2af5573690f92cefb34347c08015e9598383d0dc6ec98dcb7d59873bbc3398985c1eb77e8514

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
128KB

MD5
cae4aa3f7573431f73e14c984b3d3bdf

SHA1
3f1d68a3ff787c3f4656d5cf2ec64c348d9b94c1

SHA256
8bb4d6941f6d2610c28b011dd04ba4d1f58dc329324bcc09007e0a2412fd9c85

SHA512
150ba1599be573daeb368f19af091d2890b003c06f64c7fd6ac7edf3bcca18436e610ef9661fde2fce73d06373b90bf0840c8c0a24f466b3f4c7852bb2b5a067

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
128KB

MD5
c568a4a06c99255addf9a76c8d6d155d

SHA1
962b7c0aebaf08365e337fc4c49c46bcb5fd798b

SHA256
b56613e12628b0d674f1c3ac97bda898761590985c551551ad43232c0ec411a5

SHA512
f99e678455f802282a018895a65b3c87443680de3b27d18c8226a4974187d0945c5d56c394887001440067f7ca23c7907cbb236d84e1dfc83a357a0a7322282d

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
128KB

MD5
823e31273a4c6134a4d2e9455052c593

SHA1
a28ed16fbd85cf23f750a2e14fb507f3869eb231

SHA256
7527b9f297926b0a881de91ce85d0cda822dae761eb5f4df917a36ca5560f13b

SHA512
74cfdbdd179697355524e1117afdcd5225783d35d8da013642c023bcd10dc601af4acb7e5a483595fde19906008757587dfddd3ef231919416049f5bd5361680

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
128KB

MD5
71eff1029e726bbdd853c7dd461d66ed

SHA1
9d13b417139fc8a173d485ced14446a9635b0818

SHA256
030062b5fdb1c61809b8cf001b5133b43ae246c1a52804a21637cf31d2d2e945

SHA512
c3189e869125bb744dec1b91e65ab0a6fa68ca5dc493a9bf5d4f35d763ad2b20815b8a880ca693d5a984a61ed3a469d7af3bfa9eb9a02edcdb06a550e70d5fce

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
128KB

MD5
6c80f31b6258f65bb78141bd6942b099

SHA1
f049ce2101832442b472ecb33c57d6f748612d12

SHA256
33eddad0972779ca0aafad8c03b73762469e3d74811346f63412eff1d4854936

SHA512
8dbcbf79d480bbd45c381725e257b5b51550d913bc38c935995670d8aea995f0e2f1c8cf8a2462cb3792776ce633c9c6c0fb02f3fd3e9b74c7e466b445ed431c

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
128KB

MD5
af083fd62068fc99bed5fae69c670c65

SHA1
95144c776b47523129309ecd1261c9617b7d10c8

SHA256
7286dcc7409f2622305debcdb776c758322d8d39aa4d723b5f89882ddd4a5cf9

SHA512
9e9e9a6ec076dc52a9afb9e5ccd4b752932dd3e6f62f40954fbddcb8f2ce2f72af6a7a52ed0ab551747529a5855c0d38c70822b551f6b90aa77394e0ab5d2c99

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
128KB

MD5
8c672e9baf08c68993a9894ea6d591ec

SHA1
4906526da4ed96813f0d6c6843acb08121122997

SHA256
c759c0ff04d3084fa27f1654ac63e1e05aed433228596bc82a1e9c2e9070c321

SHA512
b44d7da7e5354161f19fcbc328dae2b57eed6541318a00dbb925d0764445983ade89f9cc2bf345f703f28c12c717fffba2669f40243d6d7e1e6fca1d713cf68b

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
128KB

MD5
2ecf4f66dae4b5601532043a06b96c82

SHA1
60bfcdd44a41f947d7e61e0927c9bea58012204a

SHA256
b5ef118f5c56956815de9b205de21e289e4e628343e6df587a874720bbb46e92

SHA512
ed4b93e480691d41348ef36f4729ead6ef16a274be6f13a06882b61a369f1967970465e196a4f32a89721fe3194d5c088ee78eb982c4fb9c447bd8b546282b65

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
128KB

MD5
aba343adb812b38477858a4133d587ae

SHA1
1371b8e82729b2bcc93830779f50667c3e294ebb

SHA256
71961f7e8c18e94c33c114658875ebfc5d0306916866a93fb6a80540d0e9ee48

SHA512
267928d593e147710233d157ae6cf951fd464912b10d88d38f02160c0ecdda4ebf7945d18ce781c2992e59a7ff82db440254da2d6c83fad9811eb90666e1fb2c

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
128KB

MD5
ec9bf177a29aafeb60d414561cf91a84

SHA1
9749fd1f59abf8aeabf03a33b8fcd6408e078172

SHA256
31f282510aff1d815759a0b1203ad87b394b0b55a14f7770b20d984353ef04c2

SHA512
cd15942f0939515e2e5f674d52f8cd2b9a1265e9bdabb85a92eca4ecd580bc66a9a0b1eb36973a048a1bbdade75b91e0212d817646986952e494386fb4354253

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
128KB

MD5
b08b4591f66d44d2001ba48e3a958496

SHA1
e4caa4ada0ab72744a00cb360b33492e0b5c606f

SHA256
c2f393cd01768d5468f039ae3586129733ee02fb6d34a0d4466b8a40876fce20

SHA512
e18e54778bf2ac38829cd4b557d72d90e0c6e1c289e2b9d4c5495f607351f4e31ec5b40d6dcfdfc15470106d1a626f16f821386d298a9d28e45f3a9078106431

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
128KB

MD5
1085018887a4c1bf443e83bab8311e2b

SHA1
c6f156b98c6279ade185390df4dc9e19bf74389c

SHA256
773480bdf512253a09ac1e63ca1e1c98744001e23e871f0ec08a1bb75d2b6b97

SHA512
61488e82ff10a30acba245bdfabdaed08659fcaeba7211d7db2ce0dfff5c140afa5bb810a33884a0237426cab5f395942741481875f8659fc143342217b8cf68

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
128KB

MD5
c6ba6d0b72ae90e6ede201f00b5f2e1e

SHA1
d57edd3db62212f39650c23e61aa6278b3652860

SHA256
0ef929014d5981d30f79cff391f09e19ef8a8a18ed00cd1ba7605330c28ca0ca

SHA512
edf187b49ce99af85a0b777aad05007a42837253e3353179f8217d5f3739dc6cc8335abeae0f947daa90eba5a64e0eedb0296ab378c72629016ad321b01e2f53

Download Submit
memory/208-278-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/368-410-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/696-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/760-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/804-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/804-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/912-332-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/936-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/956-603-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/956-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1016-392-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1072-429-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1088-404-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1268-514-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1424-565-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1424-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-534-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1528-598-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1556-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1588-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1588-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1608-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-338-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1744-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1788-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1792-488-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1816-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1840-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1876-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1888-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1952-549-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2000-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2064-440-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-597-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2364-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2432-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2552-585-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2552-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2636-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-586-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2980-320-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2984-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3024-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3064-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3136-260-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3168-458-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3200-572-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3212-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3244-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3252-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3252-551-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-566-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3272-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3304-303-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3324-350-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3468-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3476-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3572-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3628-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3632-374-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3640-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3724-579-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3732-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3740-212-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3800-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4044-476-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4116-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4136-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4144-482-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4184-309-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4196-578-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4196-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4200-552-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4284-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4360-296-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4456-530-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4536-559-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4564-446-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4572-461-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4736-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4740-162-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4756-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4768-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4772-272-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4852-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4916-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4920-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4928-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-513-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5016-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5072-522-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5112-452-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads