2545ea10a99de590e31d239272445550d8dcfebafbf0cd08eeb193b2b4b7e1e3

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ad5f719d4e4eef0a760341ca555390_NeikiAnalytics.exe
Size

98KB
MD5

97ad5f719d4e4eef0a760341ca555390
SHA1

70c8e8d79a6875b7708483033597717a36b4e9fa
SHA256

2545ea10a99de590e31d239272445550d8dcfebafbf0cd08eeb193b2b4b7e1e3
SHA512

99afe5579200d99c6ff385d169fa825c8202d49bcb2ccc0e59259d71634290ccb089c3586aabf23f458a1ee5e19eac89fbb39c8423f530721d79da7fcc06b871
SSDEEP

3072:MUQo0ssu98uUOSqwxvppEyX47EMeFKPD375lHzpa1P:Mno0JzqYpy7EMeYr75lHzpaF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe

Executes dropped EXE 64 IoCs

pid	Process
2476	Ebnoikqb.exe
4480	Ehhgfdho.exe
3192	Ecmlcmhe.exe
1940	Eflhoigi.exe
1936	Eleplc32.exe
1308	Ehlaaddj.exe
1164	Ecbenm32.exe
4296	Ejlmkgkl.exe
4328	Eqfeha32.exe
5072	Fjnjqfij.exe
2960	Fokbim32.exe
4836	Fjqgff32.exe
1044	Fomonm32.exe
3460	Fbllkh32.exe
4552	Fmapha32.exe
2220	Fopldmcl.exe
3964	Ffjdqg32.exe
4772	Fihqmb32.exe
2260	Fcnejk32.exe
740	Fijmbb32.exe
2284	Gcpapkgp.exe
5008	Gmhfhp32.exe
4892	Gcbnejem.exe
1532	Gjlfbd32.exe
624	Gqfooodg.exe
5000	Gbgkfg32.exe
1568	Gmmocpjk.exe
2456	Gpklpkio.exe
1868	Gfedle32.exe
380	Gqkhjn32.exe
4968	Gfhqbe32.exe
3860	Gifmnpnl.exe
3708	Gameonno.exe
3664	Hboagf32.exe
2928	Hjfihc32.exe
4704	Hapaemll.exe
1796	Hbanme32.exe
4936	Hfljmdjc.exe
2936	Hikfip32.exe
4928	Habnjm32.exe
392	Hcqjfh32.exe
4024	Hfofbd32.exe
2820	Himcoo32.exe
1496	Hpgkkioa.exe
4408	Hbeghene.exe
4008	Hjmoibog.exe
620	Hmklen32.exe
5052	Hpihai32.exe
4504	Hfcpncdk.exe
3680	Haidklda.exe
4468	Iffmccbi.exe
1468	Iidipnal.exe
1224	Icjmmg32.exe
3668	Ijdeiaio.exe
988	Imbaemhc.exe
2696	Icljbg32.exe
2060	Ijfboafl.exe
3856	Imdnklfp.exe
1236	Ibagcc32.exe
4432	Ifopiajn.exe
4316	Iinlemia.exe
4056	Jaedgjjd.exe
2504	Jdcpcf32.exe
4700	Jjmhppqd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Iebapp32.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ecmlcmhe.exe	Ehhgfdho.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gameonno.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hpihai32.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fijmbb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5912	5676	WerFault.exe	222

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	97ad5f719d4e4eef0a760341ca555390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2476	2676	97ad5f719d4e4eef0a760341ca555390_NeikiAnalytics.exe	81
PID 2676 wrote to memory of 2476	2676	97ad5f719d4e4eef0a760341ca555390_NeikiAnalytics.exe	81
PID 2676 wrote to memory of 2476	2676	97ad5f719d4e4eef0a760341ca555390_NeikiAnalytics.exe	81
PID 2476 wrote to memory of 4480	2476	Ebnoikqb.exe	82
PID 2476 wrote to memory of 4480	2476	Ebnoikqb.exe	82
PID 2476 wrote to memory of 4480	2476	Ebnoikqb.exe	82
PID 4480 wrote to memory of 3192	4480	Ehhgfdho.exe	83
PID 4480 wrote to memory of 3192	4480	Ehhgfdho.exe	83
PID 4480 wrote to memory of 3192	4480	Ehhgfdho.exe	83
PID 3192 wrote to memory of 1940	3192	Ecmlcmhe.exe	84
PID 3192 wrote to memory of 1940	3192	Ecmlcmhe.exe	84
PID 3192 wrote to memory of 1940	3192	Ecmlcmhe.exe	84
PID 1940 wrote to memory of 1936	1940	Eflhoigi.exe	85
PID 1940 wrote to memory of 1936	1940	Eflhoigi.exe	85
PID 1940 wrote to memory of 1936	1940	Eflhoigi.exe	85
PID 1936 wrote to memory of 1308	1936	Eleplc32.exe	86
PID 1936 wrote to memory of 1308	1936	Eleplc32.exe	86
PID 1936 wrote to memory of 1308	1936	Eleplc32.exe	86
PID 1308 wrote to memory of 1164	1308	Ehlaaddj.exe	87
PID 1308 wrote to memory of 1164	1308	Ehlaaddj.exe	87
PID 1308 wrote to memory of 1164	1308	Ehlaaddj.exe	87
PID 1164 wrote to memory of 4296	1164	Ecbenm32.exe	88
PID 1164 wrote to memory of 4296	1164	Ecbenm32.exe	88
PID 1164 wrote to memory of 4296	1164	Ecbenm32.exe	88
PID 4296 wrote to memory of 4328	4296	Ejlmkgkl.exe	89
PID 4296 wrote to memory of 4328	4296	Ejlmkgkl.exe	89
PID 4296 wrote to memory of 4328	4296	Ejlmkgkl.exe	89
PID 4328 wrote to memory of 5072	4328	Eqfeha32.exe	90
PID 4328 wrote to memory of 5072	4328	Eqfeha32.exe	90
PID 4328 wrote to memory of 5072	4328	Eqfeha32.exe	90
PID 5072 wrote to memory of 2960	5072	Fjnjqfij.exe	92
PID 5072 wrote to memory of 2960	5072	Fjnjqfij.exe	92
PID 5072 wrote to memory of 2960	5072	Fjnjqfij.exe	92
PID 2960 wrote to memory of 4836	2960	Fokbim32.exe	93
PID 2960 wrote to memory of 4836	2960	Fokbim32.exe	93
PID 2960 wrote to memory of 4836	2960	Fokbim32.exe	93
PID 4836 wrote to memory of 1044	4836	Fjqgff32.exe	94
PID 4836 wrote to memory of 1044	4836	Fjqgff32.exe	94
PID 4836 wrote to memory of 1044	4836	Fjqgff32.exe	94
PID 1044 wrote to memory of 3460	1044	Fomonm32.exe	95
PID 1044 wrote to memory of 3460	1044	Fomonm32.exe	95
PID 1044 wrote to memory of 3460	1044	Fomonm32.exe	95
PID 3460 wrote to memory of 4552	3460	Fbllkh32.exe	96
PID 3460 wrote to memory of 4552	3460	Fbllkh32.exe	96
PID 3460 wrote to memory of 4552	3460	Fbllkh32.exe	96
PID 4552 wrote to memory of 2220	4552	Fmapha32.exe	98
PID 4552 wrote to memory of 2220	4552	Fmapha32.exe	98
PID 4552 wrote to memory of 2220	4552	Fmapha32.exe	98
PID 2220 wrote to memory of 3964	2220	Fopldmcl.exe	99
PID 2220 wrote to memory of 3964	2220	Fopldmcl.exe	99
PID 2220 wrote to memory of 3964	2220	Fopldmcl.exe	99
PID 3964 wrote to memory of 4772	3964	Ffjdqg32.exe	100
PID 3964 wrote to memory of 4772	3964	Ffjdqg32.exe	100
PID 3964 wrote to memory of 4772	3964	Ffjdqg32.exe	100
PID 4772 wrote to memory of 2260	4772	Fihqmb32.exe	101
PID 4772 wrote to memory of 2260	4772	Fihqmb32.exe	101
PID 4772 wrote to memory of 2260	4772	Fihqmb32.exe	101
PID 2260 wrote to memory of 740	2260	Fcnejk32.exe	102
PID 2260 wrote to memory of 740	2260	Fcnejk32.exe	102
PID 2260 wrote to memory of 740	2260	Fcnejk32.exe	102
PID 740 wrote to memory of 2284	740	Fijmbb32.exe	103
PID 740 wrote to memory of 2284	740	Fijmbb32.exe	103
PID 740 wrote to memory of 2284	740	Fijmbb32.exe	103
PID 2284 wrote to memory of 5008	2284	Gcpapkgp.exe	104

C:\Users\Admin\AppData\Local\Temp\97ad5f719d4e4eef0a760341ca555390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\97ad5f719d4e4eef0a760341ca555390_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\Ebnoikqb.exe
  C:\Windows\system32\Ebnoikqb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\Ehhgfdho.exe
    C:\Windows\system32\Ehhgfdho.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\Ecmlcmhe.exe
      C:\Windows\system32\Ecmlcmhe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        23⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        27⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        29⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        30⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        37⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        40⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        48⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        50⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        52⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        54⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        59⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        65⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4976
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        72⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1644
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2036
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        77⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        78⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        81⤵
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3808
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4824
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        86⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        87⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        90⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        92⤵
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:956
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        97⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        102⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        103⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        105⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        106⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        110⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        112⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        113⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        120⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        122⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        126⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        128⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        129⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        130⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        131⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        132⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        133⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 412
        137⤵
        Program crash
        
        PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5676 -ip 5676
1⤵
PID:5848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
98KB

MD5
29946551490c87d06aee2abf13a1135f

SHA1
1467dfcc0ebd62dfd1f1a1147c29f9984b1ec3b4

SHA256
64addb18fc843a5e7a0869501c9b933c86b22abed3ccd715619d0235104d58d6

SHA512
aaf601b6078913a6ce1d3f431c6a5a59bb4cfc7abbcf5fd465db69cd6f3f4517af6beb0468890e9e7808432b462de04069d81bb999fb4603299b1f60e603b40f

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
98KB

MD5
d4f03ad799fa99993c2e1dfedea25700

SHA1
4696bbd60e0d091fab1b6000f035b8118598c40b

SHA256
b2c0c89dd885e841cc8396f0fdc99334807c3b9d96d41b596553c576c3fc0cc6

SHA512
d8e76aec61d089a81d6b31ed4b599a5b8633c6a5c12f469f0ef169ba8dd5c19efa55c58ff76f478b24f78a586a1411621ffbe1f7e0a4044f672848e1494b636a

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
98KB

MD5
16738af4ef374969b02d66f0508f69a1

SHA1
fe1a1a550f6ccbdd22d614e69643d4aba8ab2d52

SHA256
6b5f293b5854ceb2a51decae261c23fa8e7f2d9d5c69fa99dd8d162c507dc77c

SHA512
b05412e98aa81dd0e649f385fc25cc9cbdadd48045686ef0ab25b3b5fc541c4d0c4e96ef049339f81da75a3f004d64fc0f4a981cf52ae51ba1170f7ec2609124

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
98KB

MD5
148f62a579f9cbf3d60d56fc4fb63f41

SHA1
e6ded328e43cf3de196aa95cd9c0b8c4c0c86198

SHA256
c7a0f0d00b4eccb336816d235bee5bb9810a0e6700aee520ff66f90f1dfd33d7

SHA512
08509fbb5365f622fad69b47f894a5ff2cbaba021a480b0910a54cdf90fad21a7ab8c511da55284802dc96153ed3c311536664f990bbdcf673579e8b42b5a6cb

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
98KB

MD5
82e360c7dd74b2f8e3b44aeb3970e243

SHA1
046d9cbddf93c823e3f9ec2209f34e04038cf220

SHA256
33543060bd8389ebd3fb4cc02aefbf21a6126a200deba47065192d07fb6b0e37

SHA512
459a0fc9a92806e3ca768b365e8b42663418d920afbcb9a02fd4d4eed483a9abbafce585b37949c4322ad633303157feb2afe56eff00cfcf61e9c03e9e2b5ffe

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
98KB

MD5
9966d7a686732cdef6eec36e78d7fd12

SHA1
4e4173c008662ec967641fc332f77f6ca87bb63a

SHA256
1ed718edb2c2da000c503a36a6fbb21a71f668dbb783e02ad16ce5726e7d99dd

SHA512
21695c543c74afa886f1c3d7d193c5b76fae9369c1421e439557408215b7fc2545b3002cedde0636bab4db6885d0130e45703fb061905fb2bfbaf9bc70aba1d0

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
98KB

MD5
0e326386fad9bb9e1f4ebbe32bc49f56

SHA1
59ded63cdf9c776156bec0160bd41f50343ed0f6

SHA256
00bb4f3658c2a79e19348ade2c616cf3d32ac3d7178dcb23c21eb64e5b41a6ca

SHA512
11b28b6a980f5e4da022ee64bbc4588fb07bcebab9c68592a3d156c90ec908ae98d091dfe026bccc1e80182a82880befc4e43eedf275a73fb3731949cdc63793

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
98KB

MD5
4299f1647a941802c62403e017b24d7d

SHA1
368e278aa50e0ebbc7dc4d96121d1cab2f7911aa

SHA256
1d227da4e6618ee26998cfdf69a3cbea1efa55cc419fa65c1155fa6e4c3aacc7

SHA512
481530c7cf18753dd7d4593595ba5e2a6ac50aff331d495f16c8a233403299a467956cc95a1dfdc333793cc7f5ba44ad26e841e452692de26285e34c3c850a30

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
98KB

MD5
e738da7e08a99a1d07575c336722a7ee

SHA1
e89ca9591c54793b432e10168ea93a29e65ff212

SHA256
30824c5e8309c9d00cd86e7f8849438039fbd0ddf311aa5586f3b205799405a6

SHA512
7d00e8b22c5964045e9941eb8b0e5a08b7a7af5a60697166838e3f19a846f21606dfae576757e0c1f30c7fd043dd3cf1f03920950bb1eccb8689ca0c7167b607

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
98KB

MD5
bfc27d7f5cc63de249145a2afeb02943

SHA1
b8823fcf3936ebbd5a9895be4f8bfaa5e526c996

SHA256
5ea493099cd547266a4efb36208c09f6980350738cdbf9ce9b2ec66fa39b13df

SHA512
e3842fbbf780e586517346eebe820501a254dd96b745fd8a95818bab1c041f67dfae8c9d0d664ac06d74e0df7ee4a9e62b80bcad3683a979c8685cc9e4c700d4

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
98KB

MD5
fe69e68c412fbadfc8bbe71ee072dd2c

SHA1
f63946e527df8ad0ee23144c3f74d479bd584eea

SHA256
f63c559dad8e643e4a6d3e3ef33e9c4c9d023b53b2b59c22e9fc68371a94f1ab

SHA512
de2a99b0656dad13dd1a88288e2fd470f2089922d41bf7037414bf3591f0bb611c7ef1bce7674ec00c41d45e9399e3755cdc6a0011a5e8dd6db9c077074b344a

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
98KB

MD5
acf2919c685f01f777840f5757c25b20

SHA1
0bb7650db39ecf5e918715d7e15e9af0e61de44f

SHA256
4c0d7f8a22d8d066eae2c8ed89bb686c43bf9b54498b03b061683dacdb265daf

SHA512
1038a5ae1ace2f232b179a70e88b53318575fee315689fd3233f1f4b665866f09c31c85a0a6bf05136deefba45e86a58815da27bdf08fd04670cfb3e467efb32

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
98KB

MD5
175ff0d4bd2981c8c85bd5e6420e38c6

SHA1
0bbf4aea3ea302d449427809d8490ad9edf74014

SHA256
90aac4ef916bf4c2b062101271c904a637f56a090a6cbae9d1ecf0e65c739fc1

SHA512
7d1eee7121754a35a7d366b4a8adcf0f0d865903cc0248fa5ecc63337da85f1fb794f8241e5ef01af04c620261d48257552afc1c4b0941b8cc28c1184ca8dc20

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
98KB

MD5
25f6b29172f4273761f9cce4c201305a

SHA1
02ca07e92ab8974d3e29346937510505903288c2

SHA256
75015561a0d4800cbe81beb27e1e154bcf447991ad81affde1359a3e2e74a981

SHA512
c8c4e5b1a79a9a2b699c57d10277cf3acdb78a75e5065e72bbd9124b68f1712b90d16b363a93af2f7daa170e7b278e4c72e5b822982de13f396bc2e789cea387

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
98KB

MD5
dfb60f1f9848cda381a8f7019a9dea31

SHA1
d808be4e67b1e9a63e96f139e4a8baf8c5a8236e

SHA256
516c147645a734b35a3534d0127321669b55d90cbe946a8d216286c4290ff946

SHA512
5ce1761d65b6886e74a737501f97332833c38c556747d1e90f1ac535ac2487545bfe133a28f919c7ab0b1d154458788291dfe7739d9084ab351a43fff97b618b

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
98KB

MD5
13c366a6f72c49c7e8c5cb1a57919f13

SHA1
e15e2df0061b7893cde58b01a4331c33081e02dc

SHA256
787f5895ffa415fd5b2715cc3378ea701fa75c4f9d54c8b8b172b282c25e1910

SHA512
ecbce021a5515f0835efa32ac1a97ce954e1be20f1aeac797e6cab0461e61b31fd1b2b2e423d658cd10b5a846543413f74d96049bdcd9904316e1558d88533c1

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
98KB

MD5
8263298eff4820418b2b1cb5311d8a8e

SHA1
723c6e31b07515d340b01edf31acfb955f81cd41

SHA256
33dad6b2c1cfd0fc2afb9093c4874cd52c83a99f220e2a1554a36b6f0953b32a

SHA512
425d431f67e6e882a28a0502753dd6761f013a239f3b8c3459ebe778b89042c42944f655be3eb4d96a9d150296f3ddc52649d60b4d9337c184ec8fa22cf65cda

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
98KB

MD5
3e6063cad8fdaae57e9e327a60aeefd4

SHA1
8895006d907e04ccfeebbe9edb7b630e6d5439f3

SHA256
cf436779962d8fe3c7d8330984493b2912495720eeba6df12e1b99a5d5991458

SHA512
7054959ae9542afbe22860fb0bf9343bd57f31ca7376d41a02483509e7f90d24cc0684fbb826840756335ebb7d0bbd5847635d065ad75e2b63e19ced8f9a51cb

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
98KB

MD5
924349b92b2d2f31b81deb133c8fec57

SHA1
dede2c87c0556ef1c397a967f43724f1123c8c5e

SHA256
3a7e241fb2704df455c197f7c080ac412d7e18f15a278fedd186aac59db8ec30

SHA512
822e0efefefab0d804eb407b71948f1e107191ede67e254ed835df89a7017293798dd54dfad6d602d69c6b89c4fc216ae77d594c9f71b4a7c18be5885159fcb3

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
98KB

MD5
c8e4884b702f2937a5bbd9cab57f786d

SHA1
f86d358cb07ae5c17acfcdb02c093983ebd86063

SHA256
6b40ce349c85fe80f28fe0b395154b54e060c2ff59393d625ce0d39ed182ded1

SHA512
0b66ba09fba32281f83828b34f205d3bf2212efbb7254c517079304f1a2383a65fe340ee62d1cbd53ed5fb35b7c46ac492d281351f779f8fb2e801b1e865b2e0

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
98KB

MD5
d1040e49a809f7bcac671b80662e3990

SHA1
09a6ce5372a979cc6e04ae3431da68162fbac788

SHA256
137a8041faaed6e4373ea6fbbc1a5352487c5bbf243e3b52f20290e6fe0448f5

SHA512
86a5ed79c65d52370229a66af5cf67033951f63ae9f8ec13db01152091461340bf19651d54a14b146ae9cb6e4d44b78d556572058c15de80059e42252e9fc1f5

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
98KB

MD5
5e800a3786230568a095d53cca687353

SHA1
8c2b9abe6beafa9d8576c3b9e64b033557278eff

SHA256
bf9ee328acd193c9f4bcaf1b59d452db9d352d3e34d30874f40ddcdc2ebc276e

SHA512
b4bedd3e224f2eae1d2ed2eb0c5e8507e7a50230f7cf05729761f4d23e6540c4cabd5eea22332e2f94139e0209f91c96ce92a28684c801b107da51714d1f9a0a

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
98KB

MD5
346a236641338daf2600688120d2046e

SHA1
299b6b6a8f278d0c5b591395b4fe08d2e3050ca8

SHA256
17798746056c59c7c7b98a6a73c20d1715f4195561b6cd17083d1b917b53efbb

SHA512
dfa1c6bc3b600d4a0edbe822d6eba827f62c2ad9fd9da03973152f24e50cffb760e16913c41b3816773dc32b6df4cd30feb427053a077412f857b37c5fa959eb

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
98KB

MD5
99a07690ee70fa9580a635334367de9b

SHA1
6ceab5aedcd484903b7c0f77c5e594a96109302b

SHA256
2fb40c8561d657b7a6da9e527ef594c89bf3804bf401aeb0decb725a751dd409

SHA512
3cfc2f7f28b463d5e764f9cbeaf0f439c4a1c8ea77f4e8fb1321f529a0cae9537d9cf39d1bfcc503538048773e7244b8a34c17ed46801837dd41f9b7e91166d4

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
98KB

MD5
bba290c73b414fe2a6d3e4bb0323745b

SHA1
c5bca37f5cee23fc2debc84fff38da11aaa3ee76

SHA256
bccfc3abab2fffa6d4a4ec0f21b5b3862e24dbe56abd3b50d537477a14453f3a

SHA512
2fba3e9b514f293a92c779361615691c7c2b4894ef2785849a75cf9e19ef5fe203cb1fac623b7488801dfb69fc39d729d7bf17bd0ebbdfdfda9e917761913a84

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
98KB

MD5
69447b8006859720158c8db17656e185

SHA1
148c6b663fdc08a48132d34813d4d1b224b4d23b

SHA256
6ce725ba762110981588404c58a0faba7a25f1db00d2b5c0bb334b3790922fc0

SHA512
3267dc105583b32c5e624a69dc11601580a23f5f759332c8ae56b42fce4d6075d8afc17296a1ab3c61b8ae4e8ec0f9c912779504e74c20e2fa0e75212cf4a290

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
98KB

MD5
0c5e6a27179b34508676659f7c087655

SHA1
6b76bde58fc2177e5b110400c39e24a49c4b3ec5

SHA256
35409dddcbfc71e0bb1c474745387c147f61af0958337cdc679606e363d23190

SHA512
d9da4f4d5a5d784ee71bdbe14a27f66b65ae24d7d01342ec62d591fdd9c0cf4392ea2d32e10656405acba067cbc047586a9de015418e28b8b3100c969ea06cbf

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
98KB

MD5
5023eb74cc6d476ff9acd8dbc63483ae

SHA1
d29b6a21026a61dcaf5d87177004ece95fd6b5af

SHA256
f1562e651e9ef6d679365407829b3db56299a5897dc5807adcae6aaaf82394b5

SHA512
2871773184f7b6be747e8faba9678d96e0e9df779e0cebd2e8fb8c6e36dec07683c0baac3558ae17c72a089bd8e9220f27cc8ced7eb8648091d3ddeaafdbc21b

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
98KB

MD5
0390ad8134d382b3de96cd35276857bd

SHA1
780b1e96f3040091f9fe3794134b12315505db28

SHA256
42e5ad79269e798f9ea4b60a8712fae924308df7ea1d7ae5afd1b5245ad1e536

SHA512
ca3a9b87913f2d719cdc51001962539ba6f8c0726cea888f0c8da303d2eb98be7447a73d3f60b59d5123f8db478c40f1a4d0455948979499a240de87fbcb0142

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
98KB

MD5
f66fb2c23dbbc0dff7400f5cc247e364

SHA1
a60de046a52c793b238bbd7a53cf44562a2422cb

SHA256
f43732e21eda4ea963c6f43b2519270e9876250c21422a3cd0ec128158e3e9ca

SHA512
f98870623de13822cabdff39a530ac8cc8e30010c386d8984395e4f36009f79fb41bc714c010851472c1a1003dddd73fa0343ea27993f836a05ca31d1026267c

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
98KB

MD5
93c74e9ccb3471d0cf58092ffe71ad23

SHA1
76db7997ad54b55cf95d07347f40e87fee10e63c

SHA256
03f477c8e1e2094fa5b655a69bddb8a06889fea813fc8cf83070cdf89464ed5e

SHA512
2c04aeff3a71f42baeb23b6c998317c531a75c4236752dfc61de3ed7a2bebaab755030ce815dfa242d51318f09ccae0db06fa54568593f1f21c499ab750fb407

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
98KB

MD5
b40eeed468ef452b01f0069b22e5d1dc

SHA1
b68f961e3b32b64c96145322ca1cbb8224c8ad67

SHA256
c0d99f263e8682956a6221a0ad9392b15c25071401e791952044dee452c341cb

SHA512
f0aeaf2a28cbaf93469fb2ef7310f70fa6d18417bb141fc97260f9304cbd23161a57a49a016a049b33eef5991b6000a2bdd291aa114a7df3b3b62bf40a0cc8c0

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
98KB

MD5
e2496304302e1b3da37606f2371143c0

SHA1
b3c63618e650f67df9081e4c1b7d294fd8482486

SHA256
468b5a10a80297c55298747f875c5b3e32e07c602c75f14e961741ff1f63b6bc

SHA512
0ae43a4346b86ac22305b522e69ca4b1f614565a988db4f731a451bc63cf510826c35620e2969ca0b452f81c5c979c1bda9a5a553b00f702581c2420a08f62e1

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
98KB

MD5
2e825542b1e5d45c0d932dff771fd8bf

SHA1
f1dc9639e39f8f6ace2729ee0d1fe111dc6fa0be

SHA256
ad85197dd26269bf7cd21a7cda97b2734172929ab097d46f1956979a8ab30a5c

SHA512
2dc7d3aba2c53fc4cd454b2806b248bab941f1756f39341d6dba03ed1c600fea3f3f06d5146bb727ea4bfe8159d28b176e5360049b43d6e6be82033cf06472ef

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
98KB

MD5
36c3f5b67bb24ac0f307e36870299af9

SHA1
c07d94373b6b7d3a0b667dcc60350987346df1ef

SHA256
ddcbab086d0da17a21677c14b4b756cfb3a421068b32029e9f610c926f5e8380

SHA512
7e42fbdb166a788a4f7cd8b51d5996c978950c17186f7e7e64501d64a7e1fd6b21360a7c612c9b8c8eaec4761a057960b6450a0f41d2c9bdb27c98445bdb94b6

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
98KB

MD5
d1138e344576768763dee5ef7267ba62

SHA1
3ad5137a8f4240c9b75cf6bd1145756fea3b67df

SHA256
347712df566760116a2ed31c5ac8f53afb522714ed3938d42de8702a2671671d

SHA512
d66c7aaf63c510267647070ea75e9ec8ea8099eb81ee2c11d043ada1efa63c97a47c3fb358023e7513db1fcd193ad9d047482fad2c329c1d792619433f6c2af7

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
98KB

MD5
07950c982689250ffc849730cde78640

SHA1
530ae19e9132709adc68eda82ec3910b1d493f7c

SHA256
f3d08c04ac0ebf2ec0d91127706e995ddb24d96706631a1fb0c01d13d4aa955e

SHA512
0202db36d9b6b4d2d836bfadb5a7f1e83c27a3ab2bd860d82eeefd026f11bd0418b28f869460651f9c8b977b54954f748d5ab3f95674574bc57bb1de18844dcc

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
98KB

MD5
02d5c5892d59fe086e167fb0a0af4b3b

SHA1
5e2d5b897d292af7d15eacf2eb251f98db4595a4

SHA256
d197624b1239ad29fedaea91bcdd90d7f3f36abe408d1fa93294da9b8e980309

SHA512
f4c848a1e18fb3ee677b8d45522c3b2a1952e31432437e631f1783657d8a69290550b4a74b6c94e9b5c3f3f4d64dbb34af9558f0d9c264fc1a4abbe21c2f2dbe

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
98KB

MD5
be87869c223ad93778e24dccb5c52e66

SHA1
b747733c12735b935c459321cc865fa1d0ce3e19

SHA256
fa0d85a97933291517f604b17af1820a29f1c167304c35faf968bee32c3fae2c

SHA512
9da7ec23510f11df027d4f626c72bf01b605b55df6cd98cbdf016e73928532e4948216d6b261ac71bb4759bee5c4e4138ec64381c8559e08d06c24701bf68dbb

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
98KB

MD5
8fc9f1a0e977900bbcc507ff4b43a6b3

SHA1
404bcbe0562b43f2009f907bf6aa3de49ec55c39

SHA256
81faf863fe2dfe738d843be93baf38d90c1531aeee687f90e6583e67c0a2e39b

SHA512
6cf51c3376c700de473f3a65055cfd257aa0daa75a70363368174a2ae9b8ffaadd06e589514806a340816199987b4e7432735283a96a5b74f2668c774fac13ed

Download Submit
C:\Windows\SysWOW64\Qjebnamp.dll

Filesize
7KB

MD5
185513dc591c671ef7bb488185729665

SHA1
23aa2d0d3c5e3ffcff424b70ef4e3c50c3317753

SHA256
246d4fe4b02c25955f668f6e589510a4521d7672504f81cee0eb9b17b2d4a6df

SHA512
58d2acfc6ab1b28dd381508c940f038e9ab3ed28d57aeb2edf244e0e725984b5353d7d499ca05e508f1bbc31b1a2a08fe04c329bed73ae8b321f1838aa748800

Download Submit
memory/380-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/620-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/632-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/988-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1044-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1308-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1308-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1868-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1940-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1940-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2928-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3436-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3460-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3520-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3808-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3856-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3964-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4324-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4700-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4824-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4928-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4976-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5008-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5076-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads