107fe6e74f7424cb36991665aa69a6e5d63a3692c03f4bf6a3f5d91af51eeebd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe
Size

100KB
MD5

35ac8acd142946e33c9f8ec2a5c83bc0
SHA1

9c16cb06fb3b5a89ba927f861580177b6638d8ff
SHA256

107fe6e74f7424cb36991665aa69a6e5d63a3692c03f4bf6a3f5d91af51eeebd
SHA512

53ac281980cc8afe90d0bd4d5cbef2600d83ea66423f4c03a6f41ad07e741099b5e42ce8ff672eed93602083efa535638337a4149fb7646719ad65ffa60ccc6a
SSDEEP

3072:j/4SZqEibuOOkCsRtPxEgb3a3+X13XRz:j/4SZqu/WtPxB7aOl3Bz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe

Executes dropped EXE 64 IoCs

pid	Process
1288	Fcnejk32.exe
836	Fflaff32.exe
2728	Fijmbb32.exe
3600	Fodeolof.exe
3828	Gcpapkgp.exe
2104	Gfnnlffc.exe
556	Gimjhafg.exe
4756	Gogbdl32.exe
1864	Gbenqg32.exe
2436	Giofnacd.exe
4948	Goiojk32.exe
4172	Gbgkfg32.exe
4432	Gmmocpjk.exe
3288	Gcggpj32.exe
212	Gfedle32.exe
4108	Gmoliohh.exe
3376	Gpnhekgl.exe
2040	Gfhqbe32.exe
4624	Gifmnpnl.exe
2572	Gameonno.exe
3484	Hboagf32.exe
1568	Hjfihc32.exe
2696	Hapaemll.exe
4672	Hcnnaikp.exe
2552	Hfljmdjc.exe
4772	Hikfip32.exe
4556	Hpenfjad.exe
4548	Hfofbd32.exe
4788	Hjjbcbqj.exe
3028	Hmioonpn.exe
3112	Hccglh32.exe
5108	Hfachc32.exe
4364	Hippdo32.exe
3228	Hmklen32.exe
2384	Hcedaheh.exe
3928	Hfcpncdk.exe
548	Hjolnb32.exe
1712	Hmmhjm32.exe
3432	Ipldfi32.exe
2876	Ibjqcd32.exe
5028	Iidipnal.exe
4392	Icjmmg32.exe
1944	Ibmmhdhm.exe
4908	Ijdeiaio.exe
2564	Imbaemhc.exe
4212	Icljbg32.exe
1484	Ifjfnb32.exe
8	Iiibkn32.exe
3232	Iapjlk32.exe
4436	Idofhfmm.exe
2468	Ifmcdblq.exe
2156	Iikopmkd.exe
4844	Iabgaklg.exe
3652	Ipegmg32.exe
2600	Ifopiajn.exe
3932	Iinlemia.exe
4608	Jpgdbg32.exe
1424	Jbfpobpb.exe
3152	Jjmhppqd.exe
4228	Jiphkm32.exe
2304	Jagqlj32.exe
1368	Jpjqhgol.exe
2924	Jbhmdbnp.exe
3680	Jfdida32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5384	5792	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1288	3720	35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe	82
PID 3720 wrote to memory of 1288	3720	35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe	82
PID 3720 wrote to memory of 1288	3720	35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe	82
PID 1288 wrote to memory of 836	1288	Fcnejk32.exe	83
PID 1288 wrote to memory of 836	1288	Fcnejk32.exe	83
PID 1288 wrote to memory of 836	1288	Fcnejk32.exe	83
PID 836 wrote to memory of 2728	836	Fflaff32.exe	84
PID 836 wrote to memory of 2728	836	Fflaff32.exe	84
PID 836 wrote to memory of 2728	836	Fflaff32.exe	84
PID 2728 wrote to memory of 3600	2728	Fijmbb32.exe	85
PID 2728 wrote to memory of 3600	2728	Fijmbb32.exe	85
PID 2728 wrote to memory of 3600	2728	Fijmbb32.exe	85
PID 3600 wrote to memory of 3828	3600	Fodeolof.exe	86
PID 3600 wrote to memory of 3828	3600	Fodeolof.exe	86
PID 3600 wrote to memory of 3828	3600	Fodeolof.exe	86
PID 3828 wrote to memory of 2104	3828	Gcpapkgp.exe	87
PID 3828 wrote to memory of 2104	3828	Gcpapkgp.exe	87
PID 3828 wrote to memory of 2104	3828	Gcpapkgp.exe	87
PID 2104 wrote to memory of 556	2104	Gfnnlffc.exe	88
PID 2104 wrote to memory of 556	2104	Gfnnlffc.exe	88
PID 2104 wrote to memory of 556	2104	Gfnnlffc.exe	88
PID 556 wrote to memory of 4756	556	Gimjhafg.exe	89
PID 556 wrote to memory of 4756	556	Gimjhafg.exe	89
PID 556 wrote to memory of 4756	556	Gimjhafg.exe	89
PID 4756 wrote to memory of 1864	4756	Gogbdl32.exe	91
PID 4756 wrote to memory of 1864	4756	Gogbdl32.exe	91
PID 4756 wrote to memory of 1864	4756	Gogbdl32.exe	91
PID 1864 wrote to memory of 2436	1864	Gbenqg32.exe	92
PID 1864 wrote to memory of 2436	1864	Gbenqg32.exe	92
PID 1864 wrote to memory of 2436	1864	Gbenqg32.exe	92
PID 2436 wrote to memory of 4948	2436	Giofnacd.exe	93
PID 2436 wrote to memory of 4948	2436	Giofnacd.exe	93
PID 2436 wrote to memory of 4948	2436	Giofnacd.exe	93
PID 4948 wrote to memory of 4172	4948	Goiojk32.exe	94
PID 4948 wrote to memory of 4172	4948	Goiojk32.exe	94
PID 4948 wrote to memory of 4172	4948	Goiojk32.exe	94
PID 4172 wrote to memory of 4432	4172	Gbgkfg32.exe	95
PID 4172 wrote to memory of 4432	4172	Gbgkfg32.exe	95
PID 4172 wrote to memory of 4432	4172	Gbgkfg32.exe	95
PID 4432 wrote to memory of 3288	4432	Gmmocpjk.exe	96
PID 4432 wrote to memory of 3288	4432	Gmmocpjk.exe	96
PID 4432 wrote to memory of 3288	4432	Gmmocpjk.exe	96
PID 3288 wrote to memory of 212	3288	Gcggpj32.exe	97
PID 3288 wrote to memory of 212	3288	Gcggpj32.exe	97
PID 3288 wrote to memory of 212	3288	Gcggpj32.exe	97
PID 212 wrote to memory of 4108	212	Gfedle32.exe	98
PID 212 wrote to memory of 4108	212	Gfedle32.exe	98
PID 212 wrote to memory of 4108	212	Gfedle32.exe	98
PID 4108 wrote to memory of 3376	4108	Gmoliohh.exe	99
PID 4108 wrote to memory of 3376	4108	Gmoliohh.exe	99
PID 4108 wrote to memory of 3376	4108	Gmoliohh.exe	99
PID 3376 wrote to memory of 2040	3376	Gpnhekgl.exe	100
PID 3376 wrote to memory of 2040	3376	Gpnhekgl.exe	100
PID 3376 wrote to memory of 2040	3376	Gpnhekgl.exe	100
PID 2040 wrote to memory of 4624	2040	Gfhqbe32.exe	102
PID 2040 wrote to memory of 4624	2040	Gfhqbe32.exe	102
PID 2040 wrote to memory of 4624	2040	Gfhqbe32.exe	102
PID 4624 wrote to memory of 2572	4624	Gifmnpnl.exe	103
PID 4624 wrote to memory of 2572	4624	Gifmnpnl.exe	103
PID 4624 wrote to memory of 2572	4624	Gifmnpnl.exe	103
PID 2572 wrote to memory of 3484	2572	Gameonno.exe	104
PID 2572 wrote to memory of 3484	2572	Gameonno.exe	104
PID 2572 wrote to memory of 3484	2572	Gameonno.exe	104
PID 3484 wrote to memory of 1568	3484	Hboagf32.exe	105

C:\Users\Admin\AppData\Local\Temp\35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35ac8acd142946e33c9f8ec2a5c83bc0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\Fcnejk32.exe
  C:\Windows\system32\Fcnejk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Fflaff32.exe
    C:\Windows\system32\Fflaff32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\Fijmbb32.exe
      C:\Windows\system32\Fijmbb32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        25⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        26⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        35⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        38⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        39⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        40⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        43⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        44⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        45⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        48⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        56⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        60⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        66⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        72⤵
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2228
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        75⤵
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        76⤵
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        77⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1852
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3824
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        81⤵
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        82⤵
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        83⤵
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        86⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        87⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2928
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3840
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        90⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        91⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1656
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        93⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        94⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        96⤵
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        98⤵
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        99⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        100⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        101⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        103⤵
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        104⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        105⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        106⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        109⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        110⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        114⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        115⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        116⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        117⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        120⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        122⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        123⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        125⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        128⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        132⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        134⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        136⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        137⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        139⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        141⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        142⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 420
        143⤵
        Program crash
        
        PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5792 -ip 5792
1⤵
PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
100KB

MD5
415cce4bf96c7a7e394f4c0aea0f1780

SHA1
36ce9e034838767bd758c178524239442d7273f8

SHA256
98ffb41c38f747262b00887e3eacec181699662b3fa064d22abb179c6f34ca1f

SHA512
c53f450562c6ea9e2fda8c90f81aa220d12174d2b4ff3e4449787ab6c3835dde1a6107ae39e9e3b3edcd3f50d8311b0d1cd3980401736c40315af8fcd3c9a06f

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
100KB

MD5
b090b70067fef2a4cc196c9cd46c9de9

SHA1
fc8c9f1ee8aeb2d7272c115d8c9da25e8007596d

SHA256
6d086d7a96b52eed008b21c0f4b0083bc39c87b70b9fe2dd3855aa9f64ea8150

SHA512
bdb5dc044a626ac8dcc1b2deabc36d199e5cb0942fad25a61e6ac4f6c6e2662fd6b6b16d5ab841fd7e1897e83b3f1bb92d128293d1d2c7884101784f778463f5

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
100KB

MD5
4aff1815745001b5ed9e5f82a0e5e867

SHA1
280468f7ae7a31dd0302a61eedddbe1cda5344f7

SHA256
4d67b6ce62286db8e91e2b2efebdd1795d9719b83168b0481ba96d864db10647

SHA512
2aedc9d069e644d0002b1190075588a832c75e6302a2e62d91e0128300dc351baf5cb330f0702c3ffa76e31edad100231158468028093180eace495639a1d94d

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
100KB

MD5
c0fd35a0e32d736cf50790a637a889a0

SHA1
ca9b49a94eb1cd2afa1548ca0794b38599bd72df

SHA256
10174024a148741edc65afdd6ad0198a6a3c8ee0845aaec90302991ba30657b8

SHA512
ed2a853ebea4046c1bee6eac5a8bd453de9c51a294297f2989392d51552067cfb7136aa743a89bed204c8fec1c68defea258c3002a72d22e88d0c644e8aa4a8e

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
100KB

MD5
4cfc5f7fb1213e0c3173b072ca8e5e5b

SHA1
d2ddd6d11b546a4d335dbd30820d26c18e5e7d4f

SHA256
283eb0014ffe7e9ebdb8d0945fdeb8d8ee9e941e1575604549ac105859a94852

SHA512
bb8140647aec60c922b49b356ac17830548c6b5d3e37be7c68f09500bb41ecf9d6e7f67b4c73e2d9e509e84d2c5689a1701b34b4b54a2e2573ff79f50dadfc5d

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
100KB

MD5
6470887b31e5d7bc92858cc07751c9dd

SHA1
a816f167149144302602e2840e30bdd2955bffae

SHA256
5a8000ea962af3f244fe18d512969c3b75be8611cab2768886abe44ee2b79492

SHA512
cdcd30c29e8c06d84d4ba7e01a8ea545cfb39606779c29499e913a480b4fd62f4190cf58e447d254d763dd16ddcfa6e231a6ba976f885c5a524e63f107b2e307

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
100KB

MD5
f1b92eacf06d45b446c20f2b730eac71

SHA1
97187f5805333561d3f902efb1d376ab74442217

SHA256
a56f8e872cd13f5a00142b14876592947f7e39bdceb9264e7fa015f904f5328d

SHA512
1a02f82e238a3417b1d31d7710911972e0c9d9fed3b710a0ce6a1c579f198cc37f6aa0f98e64a1bd3a7d84f7db667c7561e96a32c3e4ca6b57eccc0821a01785

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
100KB

MD5
b6cb88398634c0215ccf566ef35cc3b0

SHA1
9a99fa9fed4336305b7e76d2722d385cd33caacd

SHA256
40812834b6848457d38e68e48bb69ff07b65abc00c30813e79f5ff01289ef130

SHA512
ac8b57764c5d720c395d048e9e9c7eadf305fe05e32f8e9a1f7a8233cc30c357abec99888205938a14f2519d82c13385396b7bc8ef8371b94e6e765d5e0c93ab

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
100KB

MD5
f4cab72ff3bc5861508eff02f3fab119

SHA1
e260ab3fce04cc0eda73030a09f155fb8458e380

SHA256
be551a175fa8b125e9acbeb828ce9ff1a83dc3790923b665fe04939b8589376e

SHA512
52fba5318caa972f9a1a8a33dc8da0964c187f8342067c8b2459e8766e7d1959f38062810b3053b3df23077bffee91653b62ccdbf8a37ba3f6beb89a1f521e95

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
100KB

MD5
c91ff4add11d260c263c758e4faf9d0f

SHA1
f2d41b269eb89379be9b5a582e7123374ca96cc5

SHA256
d90226833cd2ac888b8819b539e7eaf988d4142799a567021c4bd42fdb07ac7a

SHA512
b619f533beac7d6ab61887d1a1e555d7d3016a9c85cb50a11fa4ba4ba776c07157bf520df32e952d13134a7f3ae1ff7afacd51216223321f4f893a538e5df334

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
100KB

MD5
8f595c18f2925f3073a55be8aac3ac20

SHA1
82a9c91bcbdd701e9f9587858b4e841a38e49536

SHA256
f80f47e9c4d82425e36f7206fee196daef9a4857aa355b201674600a5106c211

SHA512
29edf7fba5b452bccd7afe8d40a622326fef4144aeb13bc5ba92d6aa68ca3804621baf575e6fda9a83522ef0a8d522d4c836f1c28268d6656fa5558ea1534053

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
100KB

MD5
2c05464f8bad55ff513ac8755ad178a2

SHA1
24dec2e657247073e6186c00335888335b30fcc6

SHA256
c597b9218fba84678164daca051a20591751cb83a488f5c862425d311578e56b

SHA512
c8380ae417c68a61eee9ab15a3de1ed49cae7e5b7cc6f030e7400df9aff34c8ead9f855ecd64de67aea1fb863fa51b32ac0475e21326719489f73001cfb824f3

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
100KB

MD5
9a1f1c94903b5d69d3e25d8fedccc8a1

SHA1
4443e28ce07a1710e0b7d0ae50da541045136953

SHA256
ff95bc30ca5881b68b757d286e07ac1d0b79a375931a67335e56437c47cdbd81

SHA512
93b1f1ccb8fbdc366e36399573f23a524ead1aeec1f269c8d821e33354ee04766ceeb7b488ca253406ff059b19011ddc06df6f67744ee3707c0e607b908816a3

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
100KB

MD5
4757faccfd3f157cb3f716df59e0cc2a

SHA1
2d99d266a4c2633a693fca165f9c5c0098f1a0cf

SHA256
974d362ced586bb1f16a9007871cd831253b813bf28da75a6e4e350e5688687a

SHA512
733edaa9b4cc1fd38256c097be1a13dab5993a306d4378d580565a71c4f7c7eb30764e2337c6e58ffdd9c4d73116440a9ee97bb4115ff3b6964af3e7bb79f9e9

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
100KB

MD5
958acc97be78fab0a1844d9cd6a9c13f

SHA1
b7f2539ab7ae6fa5acee8f49cbc46d1c48912020

SHA256
485bd71f2db4a25d1075d9af72796ef2fe09fe66a4432db361865794d6f377ef

SHA512
cfd32a9224b250b88065a5f243e3090669f6b9c256deac5863ac1407e810b2bdadc7c6387d86391302e249bcc958ada01569bd3bea78d30127f1eabe329c11c0

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
100KB

MD5
265c7393cb4af6d538410f772bd058f4

SHA1
767b5348aefb24a914f02e3562c33e732f8df83e

SHA256
076c5f108dedc56262b66da4561b59ff8adc6e05dcd602397ed6cbc2dde8526a

SHA512
dbac8e4798d67bd0d185b8aeee44135f13d7fdec8c79d7bd259010900778d42f303c373e12c9321f4dfb27e0fa58a11505b2c10530127495b9d55b3fbafd90a6

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
100KB

MD5
fbcd642e3c093a199d7a463440ed6769

SHA1
2601b3da11e2f0a39bbf8a0aa107c9c8b2f3a2cb

SHA256
6883969f5052dfcd3dbd8ea49c0a7562d847a011090db9945a79929809a8fc08

SHA512
f295bd6160158d9697d6f4ab3db9582cc50a2cb9c96177252b2f48ffcdd55107c42835543876fd39302d10242c0884205ead44069f402826dde93c44e07760dd

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
100KB

MD5
52bcc3010d3c45487c7873e3042483ec

SHA1
149bf0e22c78e0f143c6db8dc87b33cd8e55dba5

SHA256
d3a5bd51ef47c84bc47324c6efd89bb0adb1cacdc5654add6c902abd2c7fea17

SHA512
61c8b4c73f8313885179971a27cd5228cb389db61d6707411b18767f5db1fc41d6f8632b79feea30e5a4b23cb8f07ac8d4c434d00f4e78934eab811a92bf7042

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
100KB

MD5
b94a652138c6aa6490fa1af8d4a6551f

SHA1
d63b9c81e2796e18b0415fca1cebc87fb8e73f1b

SHA256
199e96ddfd853923f22253dae75da926585b24d3996db9b5b309be62533c39cb

SHA512
848dd5a7531aa251e513506d653ae9645135ca9fd2e1f913eb9cba7848e175f5515081ac29da15e86b1f13f510efd4b39d52156018112df00aa18d21fbaabb20

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
100KB

MD5
f16968dc0b342614cfe0cd35e577f682

SHA1
a7f07f94c09010db9b7dc2c41f0af57479da7e81

SHA256
04981d423a2403d62a520f6f2d9eecae42069dfc9e77191b23913930b8ce8d59

SHA512
05068d79aec1ebce87de8bd28d82eb3248efe4cc0bef7195e59141f19ce90bd72cd7631c69447eae52030bbd4a868f06a7f08d88b8426e66ee9d9be2b580c5ca

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
100KB

MD5
fb7810c4f7dc662ebd1c31d9faced4e7

SHA1
0b9f5576cd4ddf9494871f957b71d174bb7c47bf

SHA256
0b52f79cdb56cf1f8f84a89a73643b566b7cded7a1fa35780249e2985cfcb33c

SHA512
b80653be9afee6ba3b4e65f69630f010ed842be08bce747e30e84a47ef8a9f7c4cb505003e2c980d654c3ff1e53df9a9a68ac001ef37d19f57006bccf29371ed

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
100KB

MD5
d38a5b1cb14cb835c810890a3686d734

SHA1
23ed37b66cc1dd7e59811f4abfa74af6a8d9bd05

SHA256
01bccb609d6bcd1d8bb68ed9329efe98de2752a1f75d4892156d221004092c36

SHA512
63924c7bc6b3f6d1ea934b3e88ad7f3038d6196615f87b0447e7e32503fc337819bbf1c7a6bc5e10029ad2ccf22c5e9fe83d5b56519118406fddaa30c28ddc90

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
100KB

MD5
94076d37ae84d8295a72ee4eaca1ea37

SHA1
201ef6f180830856849da391cc6a3c18d119d417

SHA256
087fd5f0140a3ac01f82854546dfe2c5bdbf579e7b82bf192f726983c4f04d55

SHA512
3b5e68ae26c1e3ef128da4bf004287a45370836e12f4ac3f3cffd0226ee13c5b7f75957fd6c984ed5949b4928cd433ef38e7258023339dd97815f03f5d9c3e79

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
100KB

MD5
9218a7eaa33a6ac1220f91d0a2f95e53

SHA1
b4345550c31ffc2065217920901be3af0bba9a61

SHA256
0f6c4bf6557465f54ee4ebf38bcb6c5624cc1b58ca8baa35ad48eeeaf4b920b2

SHA512
fca1791ab736d439ffd8dfc77bc283208f644dcfbabf30c44e28b98dd42db79381c69cdd3fe267646b1380318bd56ef4eea96eae5d6138a7d70698d973807d7d

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
100KB

MD5
4f989056a9482064d2356a641019a9f3

SHA1
b3786478dad9ca4024d5924df3ff1e3c3025a48e

SHA256
17dea96acd19ae5453333b3f3b863c3d7991cf7514e0a35499e6a68cc8769a9a

SHA512
4de548b0034e5e77553cc64d412dc0798ba4026a5633c91d3b5da1f09d2d6d141ef82c69ce63ed9544797960cdf199cc2f9f4462003b96d95badc0fe126e8a24

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
100KB

MD5
49a79895304339e82b0ad39ea804e012

SHA1
64d849ed1ff18e366dcd18695e65b7b7abb76b28

SHA256
d139033c8e5298400e2dd3a0487ef73b3c8522cae825285aad5b5f23248df6f6

SHA512
0f7a9bd612bc8c4369a2877ad7bcea9bc11e8b672e67b96ff325338ddbece0fdf3bda8b255f91c87b9459a570320f8aa4a028056376ae915716867d1a567a2ef

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
100KB

MD5
30e9cde06c8004162fb96fbfb22f2bf9

SHA1
bbbdad846adea2a7f4613fb5d4ae7ea8069ac9dd

SHA256
db3cfe9303ad0ccf24030d978a9974dab38c9d7d392adc96b5c24986a276af92

SHA512
83b3881802d5aa479e2f8177a659056ea68d041ce5877e1978e372ad561ed8fbc5669b8855c10580851064786b017f0d51a45575df03eca0773f417f628f3a02

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
100KB

MD5
810a5106e06409ef4bb6c7f86a1cc46e

SHA1
648eb6a058ab0d65f6abde01cac8d25aa0de6264

SHA256
bc390106cc5fcb52b2ae9bfc5f40dfc6757f4837c287a72557a60d8a6bd7c658

SHA512
9f04ed7b6adf6493355c2f06e66bad2aaf778857441a283db30fbfe288b2cebf6f99f23986073f6c58dd755ce6e45e15ad316448a6a3d50b37debcec4182ffb2

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
100KB

MD5
f6251f820640ea139f4fc4e7cd95a52f

SHA1
5a7619daea7f199da5b6663da450d75a9794bc31

SHA256
529c1b9fa98b78b2c2a4609f6448631cdc43d0952e2fcc793aaa36eb5e76a076

SHA512
fe35374cf92e547c6e2ffcba4842d8e5432cb92611fe6f843bd443346370bec5cbff437586ac87adf0c467592158e5cb941ddb9615b11d81b3ed827d7e9169a8

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
100KB

MD5
5aa76db20b1be6c491225b062be1784b

SHA1
6aa3879a461ff10522cccb047927a76ff13baa0c

SHA256
12f66b7b898856f2126a27305d331e21ae786dd4be0a0d42ff13fb53217ad050

SHA512
b0286146307828480a5e253c454d08cde64a16f904c998e66dae38ebce1eba03bea0d9b5c4d1bd7d71431ce0680fdaed2f31fdd1debe625d873634a229dc2f57

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
100KB

MD5
169575f55224a4c56ed16ad7f36b6ac7

SHA1
a2aba7df69ec3f148d91b95b725f1c897adeef71

SHA256
d21b4f08464a3570736b8a1a8595ced3037c8d9aa5fd3f81adf505d77d664d48

SHA512
5778a43335f9dce17b20ce7ed026af543385e69a0c137f0d1a72f8e5da83740b81d82a0e9ee428930c91a45d3042194ff2b88da793112a1c3cc0e63a99c2fd58

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
100KB

MD5
4db43810ab1fe41492ed8bf1b04aae22

SHA1
c131a3141f86dd54e4d0854054d5bdb6517750fd

SHA256
ee34a2908910bd9ebf44e013ed580a121603bf0de75e54fad9bf3c272a675a24

SHA512
d7b2e55aa112ee5c047ddb35eca2d0e47202ec3c350866a44ff4df28c95b8b7a66b5b31d977fc8ef4b17546b3f2bcf18eaa9a3cf5a1b46e2dfba014f04054ff1

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
100KB

MD5
815abc341efdf1ac14ec260a2f21d2f5

SHA1
1c836cf4056d457577758d804ab1aaaaddb67283

SHA256
b27b70dfaf513d5e66c518d0c56ffffe7d6992e7f8feb690ce7add9a2085c44b

SHA512
f7c973cb5e4ea1b090b7c2d8b9705a9ce55a597940a1e90abcf98b1f8db9a3790894bf1aea06cfd2bd3814cc40ea2116f7660665469d99c5d549beac09941738

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
100KB

MD5
25a2283035a4373401914e3fa7a5cf36

SHA1
961f148708d0374cfb9cecdddf289746816cf5cc

SHA256
8c5541bef14192fd65563ffbd18c43101048dd6d3fb72a20da126a369317f1b2

SHA512
6a3a592e0a839f4624c4c7f76ae225657c27d9ae3b70fb0b39f06a6cbe7a26a7cd38e66053928df2c819ed532ca09f25b7e59ae603084f7e2733c314def7f162

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
100KB

MD5
105ea82704d414de6c2cae0643193193

SHA1
0cce1715416214783e6f84a1af470f817d5c00fc

SHA256
bd7b6d91c49b8743222cc05d3b71f9eca3319ede20794bb225f33aa1caf6c5e8

SHA512
d590c2b082d3b102498de601eb69706b002bd82b6817671d96e1064952f789c8ca93c6f4992c380a9e160e852bae76ac83ad10ba1f9e3524a758d685898e4183

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
100KB

MD5
9cc37f25437a1b15f4169aca12dc0edc

SHA1
6b7a882ffd9bfe1df65327ef406f5d5c954cf514

SHA256
7e70198edb47ca9d2b2e0ed683237408ce01f8c249c9b00e458193ebe6b49a0d

SHA512
fd23aac626be710947043c5e4dce6083f6bf275d57183693aa5f700a3ffdd89e621994644fb5d973e9ba8a49e4f4b2a9a9f5544f19ef7cc221d8d8b1293e8770

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
100KB

MD5
1a2c0e422ce251d30349737ca50f80c5

SHA1
5bdbb64145fb50e614240773ef9fa08def01dbcc

SHA256
6b13d6984a9812f7ef2512c7ee380f94b3d485d58c4ce0ca6bd7cda55a95235b

SHA512
6c59f6a3d349271ac1ab4ea7018c89364bff8c6b291c7c58af3e26faaa2fd4e822d6873094fa9cfc3a46610afee38942f6b042b815618aa3af43aae61f2b7501

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
100KB

MD5
69375b8fe51b4066db87a3699e086416

SHA1
c0ae7dd157f45717de8ca081014588cfd5f4b15a

SHA256
7a5814c08f5ac4b85d00ef7dda9e461b33ab2dc67b12770c0d6586f8dc219150

SHA512
ef4439902bd2266c4c5fa8990920ce2cc23ac786aff212284d3639b968fe221e3c5973f477bbc0208384b78f24db965af5190e4cfefaa667b3deca8d7908dc0c

Download Submit
C:\Windows\SysWOW64\Kjeebd32.dll

Filesize
7KB

MD5
f6ffe34923d493d746c0b69a1dbc2167

SHA1
1d6e29958fca51e4097761cc1d4a7e2e87a5e0a1

SHA256
51b89c3c2170390f22cea53116ea0a2531c3042f427cfaca645d1ffb0a4e67ba

SHA512
7bdf06f1df5e7e1b2481514b627278f0fd7006c1c52d1d1e2dac2bedd69cbb46c79f15b1c1c8e359df2c86554df418357a264254fc48a01f84eee670ee65682e

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
100KB

MD5
1dd2e3de07c68d7cb046ca98be298c43

SHA1
41d84d546288deb9ffca36fd3befa998a32ee4fb

SHA256
2f07831992f1100bba997e31b631af0edf5424a006760e1ba8b7cb11b63396bc

SHA512
8f7ff2a58b5e091d90f9ecd996175e39d4636434320c4bf898c326559015b528550024c26a6ef2e380fed5a7a5425c9ae28ae1833c9f1b1a1160a1ae7683df26

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
100KB

MD5
4bd05032625fa5b303927c8c7766b98d

SHA1
b4b1fb14d67b213211093931cb8093ffaaeb2e9e

SHA256
e8b927ebc181e919bd02d1427e57d12f2ca038a2ace77032da62c6e2f2958aeb

SHA512
c250f05f6402bbe8480024c0c877239e2eac86506d8d8965584efa855a53cb1d059bb47072ce56951c2f6682e4572b33eefb425d589834c61d9ccd9d6800fb92

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
100KB

MD5
83acceae37a8c0a896caf73c44453157

SHA1
6d94586abde5ab4629ef8c804d409bc10b249094

SHA256
c14f375cbfa924fe5fc72bab5ffd65d38380c26e696919eb7967250f43e085e3

SHA512
77707226d8c2909467e6d09d65a106b2e40f0ec142a2577995354f6d4e0d34e99e26f8fdc99804f1bf3f407564d23875fe7e5e1d8b816a706e7a2d996114a102

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
100KB

MD5
86121933c921cd33126b0615791b9149

SHA1
693fe85a36bfdbdc42e3444a176e37baa95443f0

SHA256
e3a479fdfb73a1ea6e3f85665debd74b83eda79a7c02ae138855606bf482af64

SHA512
c0c40ab4480228f5aed1d9898ef67e32eb742291fef9a578a272deb1f0fe0f5d41e8d1eeb6d92f240920d0c44d597100e57507619af56a496c30419e2f01e871

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
100KB

MD5
939e7ce19abcee694e723db666fb05bb

SHA1
11c0bb694d7248ac990b7d096891e4e8530f146a

SHA256
10ad4b7df8dd60a2d08f1901965c50fa5700359ffa7f8eab3b3fc99c8f96041e

SHA512
13c04ed8b412172efc7c567ef21e011e080f4411c1ee7355728d8e4b8e31f1cea8d4e6b866366ab4464d816ce16e4432c7fb76fa0dfcd3e81c0421675c345b96

Download Submit
memory/8-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/212-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/548-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/556-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/556-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/784-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/836-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1368-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1424-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1852-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-608-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-609-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2384-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2728-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2728-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2928-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3112-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3152-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3376-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-528-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3484-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3600-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3608-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3628-522-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3824-542-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3840-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3928-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3932-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3984-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4212-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4228-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4392-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4624-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4664-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4672-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4744-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4788-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads