6298141046c6d2165cc17388faf3e25d09e89164371048015cff8eb6293f7d88

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bef02afc46e78f7583bcccfb941f570_NeikiAnalytics.exe
Size

81KB
MD5

1bef02afc46e78f7583bcccfb941f570
SHA1

aeae01299b20018fb8e41f164028fa4a0a8a92da
SHA256

6298141046c6d2165cc17388faf3e25d09e89164371048015cff8eb6293f7d88
SHA512

14c5ea03543af6f27922f5bf65467e38c61cd805bc809f8b419f21527b42e8d9a5926b75f76a1eaef4d68f8432e1b2a99e74ea104c4599e4b3a36eee46cd5e14
SSDEEP

1536:BIA0DGZyk1RGCpFtClxJWqoaIZBCVO2w7m4LO++/+1m6KadhYxU33HX0L:NSGZyMj7kx43UVzw/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe

Executes dropped EXE 64 IoCs

pid	Process
3800	Gbgkfg32.exe
3820	Gjocgdkg.exe
740	Gmmocpjk.exe
4972	Gpklpkio.exe
3228	Gcggpj32.exe
1660	Gbjhlfhb.exe
1412	Gjapmdid.exe
1808	Gmoliohh.exe
4160	Gqkhjn32.exe
3508	Gcidfi32.exe
4228	Gfhqbe32.exe
1888	Gmaioo32.exe
620	Hclakimb.exe
4660	Hfjmgdlf.exe
2864	Hjfihc32.exe
4112	Hmdedo32.exe
4248	Hpbaqj32.exe
3480	Hbanme32.exe
2084	Hfljmdjc.exe
972	Hmfbjnbp.exe
4540	Hpenfjad.exe
1652	Hbckbepg.exe
460	Hjjbcbqj.exe
3280	Hmioonpn.exe
4440	Hpgkkioa.exe
3140	Hbeghene.exe
2756	Hfachc32.exe
4464	Hippdo32.exe
464	Hmklen32.exe
2076	Hpihai32.exe
2556	Hbhdmd32.exe
4444	Hfcpncdk.exe
3728	Hibljoco.exe
3036	Hmmhjm32.exe
2016	Haidklda.exe
1556	Icgqggce.exe
1632	Iffmccbi.exe
4832	Ijaida32.exe
3572	Impepm32.exe
1364	Iakaql32.exe
1560	Icjmmg32.exe
4880	Ibmmhdhm.exe
2624	Ijdeiaio.exe
4032	Imbaemhc.exe
4040	Ipqnahgf.exe
2616	Icljbg32.exe
2024	Ifjfnb32.exe
1852	Ijfboafl.exe
3044	Iiibkn32.exe
4136	Iapjlk32.exe
2444	Ipckgh32.exe
3864	Ibagcc32.exe
2980	Ifmcdblq.exe
3264	Iikopmkd.exe
2004	Iabgaklg.exe
3780	Ipegmg32.exe
1616	Ibccic32.exe
4460	Ijkljp32.exe
840	Imihfl32.exe
1792	Jpgdbg32.exe
2216	Jbfpobpb.exe
904	Jjmhppqd.exe
1696	Jmkdlkph.exe
512	Jpjqhgol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5124	5300	WerFault.exe	234

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3800	3452	1bef02afc46e78f7583bcccfb941f570_NeikiAnalytics.exe	82
PID 3452 wrote to memory of 3800	3452	1bef02afc46e78f7583bcccfb941f570_NeikiAnalytics.exe	82
PID 3452 wrote to memory of 3800	3452	1bef02afc46e78f7583bcccfb941f570_NeikiAnalytics.exe	82
PID 3800 wrote to memory of 3820	3800	Gbgkfg32.exe	83
PID 3800 wrote to memory of 3820	3800	Gbgkfg32.exe	83
PID 3800 wrote to memory of 3820	3800	Gbgkfg32.exe	83
PID 3820 wrote to memory of 740	3820	Gjocgdkg.exe	84
PID 3820 wrote to memory of 740	3820	Gjocgdkg.exe	84
PID 3820 wrote to memory of 740	3820	Gjocgdkg.exe	84
PID 740 wrote to memory of 4972	740	Gmmocpjk.exe	85
PID 740 wrote to memory of 4972	740	Gmmocpjk.exe	85
PID 740 wrote to memory of 4972	740	Gmmocpjk.exe	85
PID 4972 wrote to memory of 3228	4972	Gpklpkio.exe	86
PID 4972 wrote to memory of 3228	4972	Gpklpkio.exe	86
PID 4972 wrote to memory of 3228	4972	Gpklpkio.exe	86
PID 3228 wrote to memory of 1660	3228	Gcggpj32.exe	87
PID 3228 wrote to memory of 1660	3228	Gcggpj32.exe	87
PID 3228 wrote to memory of 1660	3228	Gcggpj32.exe	87
PID 1660 wrote to memory of 1412	1660	Gbjhlfhb.exe	88
PID 1660 wrote to memory of 1412	1660	Gbjhlfhb.exe	88
PID 1660 wrote to memory of 1412	1660	Gbjhlfhb.exe	88
PID 1412 wrote to memory of 1808	1412	Gjapmdid.exe	89
PID 1412 wrote to memory of 1808	1412	Gjapmdid.exe	89
PID 1412 wrote to memory of 1808	1412	Gjapmdid.exe	89
PID 1808 wrote to memory of 4160	1808	Gmoliohh.exe	91
PID 1808 wrote to memory of 4160	1808	Gmoliohh.exe	91
PID 1808 wrote to memory of 4160	1808	Gmoliohh.exe	91
PID 4160 wrote to memory of 3508	4160	Gqkhjn32.exe	92
PID 4160 wrote to memory of 3508	4160	Gqkhjn32.exe	92
PID 4160 wrote to memory of 3508	4160	Gqkhjn32.exe	92
PID 3508 wrote to memory of 4228	3508	Gcidfi32.exe	93
PID 3508 wrote to memory of 4228	3508	Gcidfi32.exe	93
PID 3508 wrote to memory of 4228	3508	Gcidfi32.exe	93
PID 4228 wrote to memory of 1888	4228	Gfhqbe32.exe	95
PID 4228 wrote to memory of 1888	4228	Gfhqbe32.exe	95
PID 4228 wrote to memory of 1888	4228	Gfhqbe32.exe	95
PID 1888 wrote to memory of 620	1888	Gmaioo32.exe	96
PID 1888 wrote to memory of 620	1888	Gmaioo32.exe	96
PID 1888 wrote to memory of 620	1888	Gmaioo32.exe	96
PID 620 wrote to memory of 4660	620	Hclakimb.exe	97
PID 620 wrote to memory of 4660	620	Hclakimb.exe	97
PID 620 wrote to memory of 4660	620	Hclakimb.exe	97
PID 4660 wrote to memory of 2864	4660	Hfjmgdlf.exe	99
PID 4660 wrote to memory of 2864	4660	Hfjmgdlf.exe	99
PID 4660 wrote to memory of 2864	4660	Hfjmgdlf.exe	99
PID 2864 wrote to memory of 4112	2864	Hjfihc32.exe	100
PID 2864 wrote to memory of 4112	2864	Hjfihc32.exe	100
PID 2864 wrote to memory of 4112	2864	Hjfihc32.exe	100
PID 4112 wrote to memory of 4248	4112	Hmdedo32.exe	101
PID 4112 wrote to memory of 4248	4112	Hmdedo32.exe	101
PID 4112 wrote to memory of 4248	4112	Hmdedo32.exe	101
PID 4248 wrote to memory of 3480	4248	Hpbaqj32.exe	102
PID 4248 wrote to memory of 3480	4248	Hpbaqj32.exe	102
PID 4248 wrote to memory of 3480	4248	Hpbaqj32.exe	102
PID 3480 wrote to memory of 2084	3480	Hbanme32.exe	103
PID 3480 wrote to memory of 2084	3480	Hbanme32.exe	103
PID 3480 wrote to memory of 2084	3480	Hbanme32.exe	103
PID 2084 wrote to memory of 972	2084	Hfljmdjc.exe	104
PID 2084 wrote to memory of 972	2084	Hfljmdjc.exe	104
PID 2084 wrote to memory of 972	2084	Hfljmdjc.exe	104
PID 972 wrote to memory of 4540	972	Hmfbjnbp.exe	105
PID 972 wrote to memory of 4540	972	Hmfbjnbp.exe	105
PID 972 wrote to memory of 4540	972	Hmfbjnbp.exe	105
PID 4540 wrote to memory of 1652	4540	Hpenfjad.exe	106

C:\Users\Admin\AppData\Local\Temp\1bef02afc46e78f7583bcccfb941f570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bef02afc46e78f7583bcccfb941f570_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\SysWOW64\Gbgkfg32.exe
  C:\Windows\system32\Gbgkfg32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\Gjocgdkg.exe
    C:\Windows\system32\Gjocgdkg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\SysWOW64\Gmmocpjk.exe
      C:\Windows\system32\Gmmocpjk.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:460
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        27⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        28⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        30⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        33⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        35⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        39⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        46⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        49⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        57⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        58⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        63⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        66⤵
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        67⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        68⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        69⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        70⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        72⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        73⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        75⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4072
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        78⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        82⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4560
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        86⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        87⤵
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        88⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        89⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        90⤵
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4668
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        92⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3260
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        96⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        97⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        98⤵
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        100⤵
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        105⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        106⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        107⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        109⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        111⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        115⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        117⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        118⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        119⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        120⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        121⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        122⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        123⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        130⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        131⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        136⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        137⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        139⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        140⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        142⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        143⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        145⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        148⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 408
        150⤵
        Program crash
        
        PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5300 -ip 5300
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
81KB

MD5
8ae37e890d688ef34bd387e19a2db379

SHA1
d0a67f8113881f3e0e7c3975f0782d7b5691b78f

SHA256
32ccb35c7eaaf2aa40816d72173fc810194e66c4009520bd31dfcfb3eb4f2cdd

SHA512
92a8a9b32f1cfa5025b5b0e0cef10048a6eaeac35ea91e7231a67c95c8ee04912ae539a52a2fc7d8123db0bc0c19f677a726b4bc6cff2c2b7c929c74b5caa124

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
81KB

MD5
28a4f845a135f128dd489e85d7dae51a

SHA1
b096ed1b399716be64e7e9a50e00607267e36d2c

SHA256
aaf4244201b60adce0889f325ce5434178116be9ae5a7e1b88260de7dfd9b7e5

SHA512
2efc58af38b1a81876f13a001e27b94c891accfd2a86cb7bf51dc21337d4c0042eb16ba7c211b5b68f07edccb235911cccef20d299798f5ad4e2cc0df68384e8

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
81KB

MD5
3ceee8d8fb106f6b7bcdd9cb9d1dabc4

SHA1
b216cb528d04a4e7bca01c035b368129a52f0957

SHA256
5f436aea1b5eb58e6027b80335821e55860e97d73a7fe452daa4d8a10ac620ab

SHA512
20611e5940ad446e1fc06ac5419079d4877e1c1bc4b5b69bca41585ea427563352a17e311b7108f990c9e028cd5dc9b98d4fa55f2294d4bc22c2caf53bd95e2d

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
81KB

MD5
ebcc781614e02b8cceedfa39b8bf6701

SHA1
ea35a5297a177b0af33e9f0819ee218fd5f4b807

SHA256
f644a4eabc0832a58ff986e61d816f3882292a93dcebca58bb6b891688c06d5a

SHA512
0b5f2c97699a7b165f5b2998527360b9c5058e18c312ac79fcbd0a9350d6c057cd4620addb36e29fea64ac384928b39c97b6a7b8a4bf00359d1f5fbba47c2a93

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
81KB

MD5
1837b6b74ca0e031e9031348f139ec5a

SHA1
763e932dc943d12302f88a656477ec80b94a3608

SHA256
82cfe04d029526bf6c6098b632cc13ac079769e601c71166c0dd2efb431608f9

SHA512
69913c2a30ff366dc2c489fcdd1b695c868fbad9e124aff0cbf34c0c1fb398091bdf802d731a6daa89c8fbf1c9c566eab01d4b918a784691a2c99f0e504d9d5a

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
81KB

MD5
df714dbb25242dfcfc314167adbce931

SHA1
f8d24a306db8b04a73ede18e04e0a274c192eb44

SHA256
11e57a45bf06171ca6a0191594032d9464b5dfb4e1e334fa561be6586d3f2623

SHA512
8280710f39ca6321851b84b14f416fe5140630764d7970ff4d8a7a56ec96dab49154b2cdabddc0ef3c21887630f2d32801567848985d514d0d8de39268a4b7ba

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
81KB

MD5
e0022750ae7bcad22028b7c3e3dc5b3c

SHA1
73cd302a27649f964d043c052d882eec9a3da2ea

SHA256
d9b17078fc6d8b1b1523c3e6ed0282d93fc5d25430d12e096796c0448d478df1

SHA512
9e308f694ef34d378f7f432d8b4390d5f575d7e576ec242f59878fc2ce23ee0634188646c1ec2f97933c935718fc2d0d23762e6f1bee10a3c2fabd02f563db89

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
81KB

MD5
a9506ae0248ccbc4ecc0238a89306f7d

SHA1
d3166b0bbabee939e583af3c60d517a47a51c9e6

SHA256
a3ad020035a26a4726e7aa605a4e392bfa054b032acf7999f47373f2c5496d61

SHA512
82712a2638a815475222454fe31ad349c9a64ef5063c3f373aeb64401dede1bc2efb2e1611ef00aadbe0fb6958104f16423baae56e5ab77ec1e04f7fe262b45c

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
81KB

MD5
321fc2e42ce47a5d250e6cca09c3e823

SHA1
6a8997f81c13847bff0b5679bacd493eb2683fd2

SHA256
9ad810f165ceac71b3f0393d16673937f5ec63905be72d16ce3cf66c00474ea6

SHA512
1f6e91ad61b551932b672f429c35fca3c3bd745aca5b25442747d68244c0a2324244516f9b84b798ce743a46c9688289c07e929511de82d0a566442726313a73

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
81KB

MD5
8b75fb20c100ef58b2d828338e146183

SHA1
711f69c4cc854039d0aac5e5001de7bd624af60f

SHA256
fcd28d3caa10d01b6d8fe3ac140d169d0bff5061533833b66385587e089f9bef

SHA512
3db765633c4796f194eca37469d4c913598e14fd189c29b8caec29c0e6836f85d8d4212fc65296824f96b5e4a3944eca9392bfb8d09c8b50ae8f88d97dcb28f6

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
81KB

MD5
2e4e125e280e13578ba2a4701ee467f0

SHA1
ab30099f63e65b082d1cc08c72218057589e8e3f

SHA256
d300a5518a539020ea44e1cc8aead35a070f46118ea39dbd04914c68a7bda11d

SHA512
4f2957a1d11f2e166183c4288eefcb5f97cc09e77c232a7330d9f635ec809e94c3deba000668a719bea64f070a5dd1bab89e4572f556d1cf5626b5b680ae42c9

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
81KB

MD5
3e43ae61844e49620ef8c608eb3e5dd1

SHA1
a35ebead1aca9575de224a6271b2662c6a694134

SHA256
91333efa61dade69e6f8c07681817ea052f5e20e84b2d49bab76adc1b4a0b5f3

SHA512
bb7cb4cf41d5ff746d87da0bab19e016027d1c19863a2b97718e958566fbdf6ab3110094574eedff9cefcd210fde08c9e082ac3c81ccb11399ab0f019ea4ed0e

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
81KB

MD5
5fc0354958881fd086a3792ee47f5176

SHA1
70b8ddfb16a3c8deb1b1fca2f344757b715f93f6

SHA256
d16945944248dc024de029c692d179b855aafe72f0a0fdfc67d3338fdf644972

SHA512
038ca840d197a77de32c20ec04a27679a2b805006fadb9ace937587b9a1419cf2ed3155142db72a8a8a6206659719e7614ed9b5f929706792c7da7203fba0589

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
81KB

MD5
bb548e0bfd52defd3a6313a5f073b37b

SHA1
d9eaaa0ff96081dd5f2354e555dcce8fe9e1811b

SHA256
d2af454227f8bcbeba5acfbe1c8e1a6b3571e893f8949665b0e24dd5a8357c7f

SHA512
d42eb496f57388fe3edb0fc48a3cacf6014b4678e18f48f62894373b924e4b18f502b319c433de6bf5e904bfd11bf372aa184eaaf62c9a394930396a9f44f9bf

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
81KB

MD5
5d80998cd8a68ab5fe9955bb0ac1afc3

SHA1
323e4ff57feab08e3bd0d3caaad6a8545fce28bb

SHA256
16d50e5a4575174d49933b0f2298cb632012400c312b7ac350e9227665014a49

SHA512
b36d969c0ed893e02f6302566e7ed9b2d490052d33fc700c92ef9df29e5ad5c7bcdc572e95a0f876cf7231ef81447c53e251abde92a261a90304bff8c2e9ef1b

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
81KB

MD5
33fa6fcec076ec7a4775bb7a63f50d91

SHA1
e03d76fd3f8f86a73237cb88bf5d1c9aaea403df

SHA256
8bb70174cf0ebb1f5a54d29b545bc1394caf49ed29c76ce21aa8672159f9dc9f

SHA512
c650e6b6b8f940ab93b5c230c30218b2efd8e9b8a1ca890ed47c85ef4f91c1197178835f1e48bc82a7685ffcb6ee01364b6ad6482d0e3850ba9309363a2b6854

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
81KB

MD5
06fcb43b9330f915ad3a772eec597137

SHA1
688385c45cbb1ae279d393198747517e2f7a2edb

SHA256
29e2f129c8f93a3a2460f4a4c2aad6bbfdfe4f97d665ba1317a6bd7d5451d578

SHA512
0b6d4ea56abc3c989aec06419b9ad3a92a11db8eab663bb9e746436f0dd7faaabc6971d06094c2ae3a6dc238c38cf73c5188f677950ac1086c41ce34d9f9872d

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
81KB

MD5
bb3408697642ffe73e46b1a89e40f99d

SHA1
b2c49b5a23eb9c5eb6d34c60af97dd383946a46e

SHA256
a96c340bbafa68e243990f591b6fd5da89c8e9e682847f60ec7a4c1139f2973e

SHA512
34622e27e30a03962ae9ca8cc540d5b832d10276fc07e5d9c1cfe910547117cbad5f6d0f3207fd0746b79968a1a3de12ebf5a15c567d788629384632a16410b8

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
81KB

MD5
82585be6a93c33b224ceb984d1d4b64a

SHA1
36551394d46fb1f04d38597012cc780c601bdf53

SHA256
110e247f6ef9376f31cb2f7bf8421c063b1e949975bc78d6b760f01e10f00a49

SHA512
f877dbf2d519a17c3a3188fbdfc11e85310dc8af7ed9e760d3a0f23ca4ea5da700743f0827e4099d09d6f50a05524e4803856ce8224b91735d6532aaa11a8b13

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
81KB

MD5
735ac56963d1105ccaa5ed8c208db088

SHA1
fc6bff2145d41bae468e61f6f16ee5c8596fccdb

SHA256
0785a1043952f48dabf2225b581e521d555123ee22a5e2c58c1237511b647a14

SHA512
fff77f182b8e70224849d6798d8a97512dcf8ca320972d3a60c20557bd4b00a30bf3d2e57657939b61792feb464be8115aa53ab41b44078193fd1120adba6554

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
81KB

MD5
223d77c8f778557c7a2898822ea5f78b

SHA1
8b077aa41928878c24ebf7aa43dadd0f425b1beb

SHA256
07d5bd8d9f6098863cec593e3740d7c9494b7bf9e29d7dd2184ee9e5bd0a00f9

SHA512
adf2e7eae83779282812c48e33ec532eef1896f2b882a9b9cf3d1b15b9b853af705152402402ffa782f123206feca8bf68bbed6b1f1cc9935234c3bec266cf15

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
81KB

MD5
17edf63e1807272f1df6b1d5daadf7f5

SHA1
79057c60a9595a803a533bb1ee8d25fc1aa22b1f

SHA256
38124a7df7c6c672fa349c7cd54fa26e3869eca6090b354cccea6e705167c427

SHA512
59d96a9297e24428b73aedf50971843a24f014813c0bfd632222f031de50ec1312506999ff7c04943e471f2d3ea3350f97bc4b27d6a4dbf5aea46d9e03d39bcc

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
81KB

MD5
b3418d2d1a0c18a97a44d5ebfcb526dc

SHA1
da3e3cc93ca544eb67259fba1e7a469378405745

SHA256
6d93c0e54d26ff8b6ed69edaee33f76bf7f5c6604712df1c15722164ec63ad28

SHA512
7a6ce9e463b8d3b589b6a0eb0588c2a01e30cc99a800be39064a0e5b8eb5df229a5e111fcd23dea238fb5263e7478f77465ba08bf7bd59515f2dde66df2b4680

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
81KB

MD5
154e449b33ed08d5155a7d977e070442

SHA1
43f4c74745df0cc3c28fba34a9677def8f1a68d5

SHA256
d5f874a31424b0a6071e7893f3056b495c4ec1524b647688f845c3c8960cf8ad

SHA512
fdff721da78e0bb79269dffd357536642c39dc6f653c270785bd293a22fff2bc34979c0d3d4dca5df53202750e44fc931530d2a412490ef9ed96429e55eb895c

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
81KB

MD5
5611cedd236d51eba77094e0ee146804

SHA1
411b767d2dcf5c01a0c4c6abaa02e731b0b7ff70

SHA256
01e1b748292aa95a0e9f4274ffbb722ee83e85d3618ff9d7adb141fc36dc64b6

SHA512
814548bf3ad42bb02e655092dea1aae3e6b9675dc1886e9e3e9c56a1b93d401826c7e0605f32a6771dd8ddc8a583527a4daf3a253bdba90b3bc029a9da925c84

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
81KB

MD5
a51dadc02fd169835198b2e7c1afbdac

SHA1
a4fa1a3286d58d872269efd4bbec3d2694f08b4e

SHA256
c6ecfa30ea4c8c61e1347af68059c3f12343dc9a99c78fad1e1e172026f5282a

SHA512
ed76cd41468716422d60b212e8b77a79f7ee1d40c70776f8d39c55544607d1ac900528e0c8a9c1f0275297ead9c654a448dc5c16e4f40824b4aa45f303168aaf

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
81KB

MD5
6c065d888b9abd4c416fe85325ed81a3

SHA1
f12b42e5f2c2c806611639070db99a6836f6f090

SHA256
a0feadc9ced426a39a45ee59bb1fb98c595796c812deb6117bc416d12021a9d3

SHA512
685055c96a71a7d622318b09dea450cdb96562934a4190d84aecc03fea08e160f22fe356813a2eaba69f5025f77666df54aac1e8c531e2a4050b2a80fa0fc377

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
81KB

MD5
f18f97824c2108bceebdea42e381ae07

SHA1
73e6ea4d188ab0d5f03bda61f30dbe76f966cb5c

SHA256
c6d9b44e8c1170392a78a2e2c9b08c48afde8857c44b5d87fb7cc0043d8713ec

SHA512
2ab4991210bbfe36a610990157733db36eb1862e90eb5afa9fd39cfbdeb4e7178ca62d0d10c3ed5fbbc6849577f7f78f1acbb0fdc17c060b064cad1b72eb5f0a

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
81KB

MD5
7bfa0e9001725b968b1718d171eec106

SHA1
87daeb543bed34ce44e52cd44f641ee746c039e5

SHA256
c594d172a0c8301d71f6fb56d9ee974f7dfb075ea23040a4e13158fa1d134988

SHA512
97c5a76ad8052ad54c7bee0fc9faf1078a9d89799f5caef6f6f72f12e9ddfac0fd0028ce042452ed4452fef907ba316e6b1b3f3509f4116e6c517abd1e0663c1

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
81KB

MD5
7f79b08d8797d87cf2919916a41d02c0

SHA1
f30485c990cf64f87f28914d33c625fa82690314

SHA256
f398aa63ec8139f4a8b2ccb441b2e2f9a31195a6b6d5c6d983f0e45477b084dd

SHA512
76c1570ac4d433570c0f6e7d02a884fa9113cb373a11af5857428640e2b69d9c4a35b9cc26e35165c97c67ab7a859a531c358f8e5356310490b65b21d2cc42fd

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
81KB

MD5
ba425a2a7018c540c93c3cf69d20821f

SHA1
f31efd554f239b08ddc945f2db28189dde239142

SHA256
202405b64a52883c441c1c6485645635eceae0c640a1943b07a02cbbb7795447

SHA512
8a52683f4c827d63ab6f23e37f805c54cd5f5b7727f6516257d48bb27403ed201e927ba8896f7b463c26263637ad631308de2d5c1c54b0704c7f067bed37433b

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
81KB

MD5
30bd5a748027064d286540ec2ee6626c

SHA1
b3ac65b6d702a8ed65ed5c750784288e53791250

SHA256
90a33a9e2e68401a3ff8ae7a06e20615e7011ea85f6bd991b38774daf134765e

SHA512
c7989a3cb2288dc0f989007489e8ab6ea5822f23cd0b1ad348e69915d3485ad42bc94a92c2a965fe3f9b42e49644b8de7b52637bdf1513f1e8d2dae066246e42

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
81KB

MD5
c185f18cfa11d65275ebd432202a6717

SHA1
144e78a4c7fe195022baafcdd938388529db6714

SHA256
6b994dc9c3aed39551b1eae339ce13ea7eb9423952179119baab1e7fd71d73bf

SHA512
81524b850d00a552237f603fb3eeb57bb4097ebf1328397aaea15e01bdffae1a31f3f1a2bad76eb003b9bc27336ea16fd206031ec57cb872cd61b5df5cdc4ab8

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
81KB

MD5
3af9785a1ad07b0c0626ba491ea18a9c

SHA1
745ca0c4d757c2187e5764a13c071d8378fc7f75

SHA256
b7e16fa0ebbc888554f149244477f32fe679b4bcf1395d925e99fa959d10617c

SHA512
98fdceff3a47e9845fb4de9a2899dcbf502493bf35bffc8929f0f47bfd21a1f4a5f5f555748375b2620967445fcdd5d124a7b9b02c73ab74e0648c3006ca1b59

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
81KB

MD5
1c6d947cfc455012d69d3dbbd4d0b2da

SHA1
ec338bde4cafeda8eca91c141a315611fb315fb0

SHA256
b011ba8d11c6685378517472b88c2bd5c40bb71d47960a9cb714b4a90ce5bea0

SHA512
7694829bef3b3a402a3eeb02960e889887b7164a9e13e916747008307c78830c98f905588551da151920a1a6f2a8d35bbc534f22f394ebdc77a837aeacf4155e

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
81KB

MD5
9b8500933033d7f7fbe530330789ee61

SHA1
8ceabc7df140a03ba863c859efa0abdca2779092

SHA256
7a12afc4a268ac7e04d2735c43ec5de08e8f2aeb835d5420f6b2122786a53f50

SHA512
517b8d99c49c8fc3d9accbd0f482fd72a60a5b0b6ae31e9bad1a6e8d8813ba1b39bd00f28864f71c93ebfed8734a0c8ff6c926d9ac09d90540913cf4f646f76c

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
81KB

MD5
13c9bf87364d9d6ba864932fbcbbb1f1

SHA1
c23d5f47eecc05f5d38f7a8bb83b87ecb248f602

SHA256
bb6bf18c9273d83b23b68f935ef8ae5185e09a7aca2a59d2aadf3cf0ae8425db

SHA512
6bac1b032cd0cea8e3cdff4927f0afeb6074bd38355042a7d72ab2c5f7e2c45722eef658f42ac67392382c3214a8345315f4637340081f17d418995b74358e17

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
81KB

MD5
8a86322744e1ed8fc3a5be603b17ebbc

SHA1
e5eadf69bcd9b2250c0df6c48f86d5fbf29566eb

SHA256
07d153d9bddd95b3c2e11cb2c797cf2c0b953bc5747b03001709f91022fd12dd

SHA512
8c5680809301fc6dc8b15598cc76033c02df1de9fc159e578aea4c97fcebe41e6a999801b0b05eacf806ab8d40be363a70d5288cbc9cbbde5e629881ff8e8ff4

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
81KB

MD5
7eee329f6957b7de9df162b162dd0e5e

SHA1
4597fbbb12224d11d25d3b81b8a3fc7ad2655731

SHA256
ea39bc41696035f592d022c5513350164d215f4a87865b5d170163abe8458c2c

SHA512
58416ebd0629e75df0b79c0c68c4e77535bb1d2e1e049aea9d9502955a51490ecb6ce384cfe065e2a92a1353dde446e276e98482e63e2233b1a2f61afc97b34d

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
81KB

MD5
253acdbde3ef4a79a0aa4ed761e37647

SHA1
e1b8da62aec01f55f56ab6423d5057ff6bd6aa05

SHA256
23476771e5f0638f413d23c39d3aa15093996e22dc72e26f39c0909d6589665d

SHA512
d6296a02d7375e87ca7df4f6bebf340ed3bcea06ae0cf38065cc45837f818f8561fe74830160daf4d08d1316a9827aea393a44bc9c6bbcd16fa70039620a48ab

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
81KB

MD5
b9e14b09d9c4dcd04eaca7492e9c2fa8

SHA1
5093ac6eca4d7d8cd15ef28695434889ef408707

SHA256
396751917af769d9403f32bf14649f3e87901ecc4f6058bdb14d2f3fe2d9c61b

SHA512
30e495247137110716e10c0d2c3f60f25a1fa6fc263206fc4cad50c69ac207e6e5a3d9c49c51d99301daeb4c42cfd52473cd8a82cd43b4b71445733c7865947c

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
81KB

MD5
a7cb9cc7bb582676a7a3c59baf853e14

SHA1
dcf6bd302dba173ffe209ad2378d8c40b776f49b

SHA256
bb225f523c23757a3d1f1ce80c7b46a9625ec34db2270c1f98e30b4c64d00931

SHA512
0be3e31a5bff4321e528f3d2fe2e7a4474b38d215e78684e0531072ecf5ecebbf49c44a7f3937ce3858c3c1cc9df1bb878fb85cb3af2db5e005559824770fe55

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
81KB

MD5
53187adb64192db5dda8d55a88441de8

SHA1
a2beabf3282a9bf1ea64aeb34fdc2ed1755d75a3

SHA256
ac6d0b3b69d22566df1802394b1b776b43e044ef5253b5f8256ecb0c8b77b24f

SHA512
71870671a09e7a1666bae0e7679803d73d6b940fcd5cce31deb6b347ce1cf590f96affb30c44dfb9c5e888216f24ae58b0014dc5ca81048cca3e54f29b06a84f

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
81KB

MD5
a891a1cf3dba7b21e46df1f87ab3e6ec

SHA1
8843a4ea8ebc67ceaaa4833e43947b8534580951

SHA256
dd00bfaa35ebec5fdcc560d1e12a9e152aac6c03421656d5fbf52933ec857178

SHA512
c2c85f407005157004f595ab1db9800604dd6ba8e326c37a3482f1f79c1c3cbabe56445d587b40f08912ef39895f4a4c2a67542a3028e06cb0cd4552041ae841

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
81KB

MD5
e0a87718bdad84d892f03c7286435130

SHA1
0b3dad7cc2eec4a3697de51ae021b2ca2e52c3dd

SHA256
7a57fedc0612fc5ab05fd63c1f3b4af0fcc733432f8016d4cbbaaf1d2080f4e3

SHA512
c8bfd62be87bd3edfa344abfa6bbd090c0a23c91899b9ded75af64465d18411bc890e95d951676f16f21f035c3a80e6295dde730d4a7864d2ce64d3b56878bc6

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
81KB

MD5
7ec96173e00d27e80a3cb181c799e3ff

SHA1
cb4c96e92eae80a16dcd0327401faa668db1d5b9

SHA256
1312569a7501f0b08cc416214e6969fd48d348e436b7e5d0597e34e0e6b5fc1b

SHA512
729e2e07b568ce9b7d8f3b09d3894a55c76450f04511921bce41a01716d663ebcacf648f238565b0a204bb00a55b9ef1a6d1113428105cd3082f07300c93b2f5

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
81KB

MD5
e4381588daa1de759ec65a0e386aca55

SHA1
388c562b118500441f928c6d87002b83908d2992

SHA256
2920498620cf75b2d8b4bc65c5df90ca2f17611815b69c4806d90f0c9320d4e4

SHA512
6456f2468678bc82953425e0f72d53e542c1de345e3bbf15d29c16dc68ea49ada78f02e950fa9ad60c31ad9ebd1d52fc039ee85fd9f17637f8b37f0e77dc23ce

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
81KB

MD5
a87577d68cfec713ece9997637f8c160

SHA1
c13952b95069b29a3122c3faac9f94adce3f43ec

SHA256
52fc9bfd49445f08b5ef0464f44805e5998435aadc41ba273201272d876142bd

SHA512
5874365405ac5f66cbee9724353a0158be8e354b8e0d7419f2fe315a787fbf97695d775483423f40cf5ad2aa45b7955a3c32e99739bd48870a1074b20a787877

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
81KB

MD5
0b227ce4a61279b729b2ea97c40d2d58

SHA1
8305d7dd31b803d731315f6ef2bb61a7d94cf502

SHA256
d5850e2ab9f9249affa77fa0bef4257b61c69c49669b954bfb0be4c68d67f635

SHA512
5e8a48e0fd4d56505f7598852894fbd493bbffa12ea6113074535e0899826af7f065655c64cbe054f774f491c39ad148529da5535c49d2ac32da8b3a3b7e81d8

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
81KB

MD5
4da418637ea012dc0cf0e1f75110cf62

SHA1
d88ac4bf70cdbc4d7b46eff3aac0be477ea08132

SHA256
25706f537e9cfb45f24d5cda64703cda00dd2ae5c6b5284c8c445c5acc780639

SHA512
cb9d52f17cf4a59761c4e0bf08d72abb268fa05c7f88524bbf8b2a6d641bd336bf687b19a8bd5042ac75952ab637f548b13365c83b17c740285b988db686cb61

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
81KB

MD5
5d872b77c070d8bdf04009d3360a5afe

SHA1
02820ac8a441d27e8514c2e2e15e8db1446f5b45

SHA256
e5f94a3de14956ad4dc40ef373b74214f737b76858481b8a8c936944c33c2178

SHA512
b12d317c8a9f8563fed76792bd2f8d92ff2e56a14569289d738342f2cdd039119020f0e3ebc6d63aacec9c3f48384da1d1bafbb5b8d8924ceba32f547243872d

Download Submit
memory/408-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/620-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3452-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-1085-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-1001-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads