a56ad70446bc913be642dd2e64a42b0310c0c65ee7cd9b7b24980f80c4ee9185

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe
Size

80KB
MD5

d99f1e8aba2dc67275fbe9986e92a520
SHA1

e2589b7995c5d3cfed8fe262814ab510c55b1baf
SHA256

a56ad70446bc913be642dd2e64a42b0310c0c65ee7cd9b7b24980f80c4ee9185
SHA512

320f9b13c693bc42796b0aed3b7cba81f482e5b426689f33bda52c294683a80a68abd56a1f5de169f8557bbb25fb808cfd6976a5d557556caf0edd9ca655e710
SSDEEP

1536:3Fhl5ppJtM05Pc20WR25kHydwIpUld/2LMjaIZTJ+7LhkiB0:Vf5nJpZRuFxpjeaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe

Executes dropped EXE 64 IoCs

pid	Process
2388	Gqdbiofi.exe
4744	Gfqjafdq.exe
2240	Gjlfbd32.exe
3904	Gmkbnp32.exe
2480	Gcekkjcj.exe
5104	Gfcgge32.exe
3028	Giacca32.exe
1256	Gmmocpjk.exe
4916	Gcggpj32.exe
4960	Gfedle32.exe
1064	Gjapmdid.exe
2736	Gmoliohh.exe
4424	Gcidfi32.exe
3604	Gjclbc32.exe
5064	Gppekj32.exe
1992	Hboagf32.exe
1676	Hjfihc32.exe
3044	Hapaemll.exe
4768	Hcnnaikp.exe
2180	Hjhfnccl.exe
2524	Hmfbjnbp.exe
3380	Hpenfjad.exe
1724	Hfofbd32.exe
2712	Hjjbcbqj.exe
1756	Hmioonpn.exe
4496	Hccglh32.exe
4604	Hippdo32.exe
812	Haggelfd.exe
208	Hfcpncdk.exe
1964	Haidklda.exe
4388	Icgqggce.exe
3956	Ijaida32.exe
1812	Impepm32.exe
1976	Ipnalhii.exe
3636	Ifhiib32.exe
2444	Ijdeiaio.exe
1712	Iannfk32.exe
4980	Icljbg32.exe
2708	Ijfboafl.exe
3988	Ipckgh32.exe
4568	Ijhodq32.exe
2332	Ibccic32.exe
4460	Iinlemia.exe
4340	Jbfpobpb.exe
1648	Jiphkm32.exe
4760	Jdemhe32.exe
2024	Jibeql32.exe
1108	Jmnaakne.exe
1696	Jplmmfmi.exe
2196	Jbkjjblm.exe
820	Jjbako32.exe
3372	Jpojcf32.exe
5100	Jbmfoa32.exe
4412	Jigollag.exe
516	Jangmibi.exe
1008	Jbocea32.exe
2504	Jiikak32.exe
1492	Kaqcbi32.exe
4672	Kbapjafe.exe
3792	Kkihknfg.exe
4956	Kgphpo32.exe
4720	Kmjqmi32.exe
736	Kphmie32.exe
2704	Kbfiep32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gfedle32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4252	5316	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2388	4712	d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe	82
PID 4712 wrote to memory of 2388	4712	d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe	82
PID 4712 wrote to memory of 2388	4712	d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe	82
PID 2388 wrote to memory of 4744	2388	Gqdbiofi.exe	83
PID 2388 wrote to memory of 4744	2388	Gqdbiofi.exe	83
PID 2388 wrote to memory of 4744	2388	Gqdbiofi.exe	83
PID 4744 wrote to memory of 2240	4744	Gfqjafdq.exe	84
PID 4744 wrote to memory of 2240	4744	Gfqjafdq.exe	84
PID 4744 wrote to memory of 2240	4744	Gfqjafdq.exe	84
PID 2240 wrote to memory of 3904	2240	Gjlfbd32.exe	85
PID 2240 wrote to memory of 3904	2240	Gjlfbd32.exe	85
PID 2240 wrote to memory of 3904	2240	Gjlfbd32.exe	85
PID 3904 wrote to memory of 2480	3904	Gmkbnp32.exe	86
PID 3904 wrote to memory of 2480	3904	Gmkbnp32.exe	86
PID 3904 wrote to memory of 2480	3904	Gmkbnp32.exe	86
PID 2480 wrote to memory of 5104	2480	Gcekkjcj.exe	87
PID 2480 wrote to memory of 5104	2480	Gcekkjcj.exe	87
PID 2480 wrote to memory of 5104	2480	Gcekkjcj.exe	87
PID 5104 wrote to memory of 3028	5104	Gfcgge32.exe	88
PID 5104 wrote to memory of 3028	5104	Gfcgge32.exe	88
PID 5104 wrote to memory of 3028	5104	Gfcgge32.exe	88
PID 3028 wrote to memory of 1256	3028	Giacca32.exe	89
PID 3028 wrote to memory of 1256	3028	Giacca32.exe	89
PID 3028 wrote to memory of 1256	3028	Giacca32.exe	89
PID 1256 wrote to memory of 4916	1256	Gmmocpjk.exe	90
PID 1256 wrote to memory of 4916	1256	Gmmocpjk.exe	90
PID 1256 wrote to memory of 4916	1256	Gmmocpjk.exe	90
PID 4916 wrote to memory of 4960	4916	Gcggpj32.exe	91
PID 4916 wrote to memory of 4960	4916	Gcggpj32.exe	91
PID 4916 wrote to memory of 4960	4916	Gcggpj32.exe	91
PID 4960 wrote to memory of 1064	4960	Gfedle32.exe	93
PID 4960 wrote to memory of 1064	4960	Gfedle32.exe	93
PID 4960 wrote to memory of 1064	4960	Gfedle32.exe	93
PID 1064 wrote to memory of 2736	1064	Gjapmdid.exe	94
PID 1064 wrote to memory of 2736	1064	Gjapmdid.exe	94
PID 1064 wrote to memory of 2736	1064	Gjapmdid.exe	94
PID 2736 wrote to memory of 4424	2736	Gmoliohh.exe	95
PID 2736 wrote to memory of 4424	2736	Gmoliohh.exe	95
PID 2736 wrote to memory of 4424	2736	Gmoliohh.exe	95
PID 4424 wrote to memory of 3604	4424	Gcidfi32.exe	96
PID 4424 wrote to memory of 3604	4424	Gcidfi32.exe	96
PID 4424 wrote to memory of 3604	4424	Gcidfi32.exe	96
PID 3604 wrote to memory of 5064	3604	Gjclbc32.exe	97
PID 3604 wrote to memory of 5064	3604	Gjclbc32.exe	97
PID 3604 wrote to memory of 5064	3604	Gjclbc32.exe	97
PID 5064 wrote to memory of 1992	5064	Gppekj32.exe	98
PID 5064 wrote to memory of 1992	5064	Gppekj32.exe	98
PID 5064 wrote to memory of 1992	5064	Gppekj32.exe	98
PID 1992 wrote to memory of 1676	1992	Hboagf32.exe	100
PID 1992 wrote to memory of 1676	1992	Hboagf32.exe	100
PID 1992 wrote to memory of 1676	1992	Hboagf32.exe	100
PID 1676 wrote to memory of 3044	1676	Hjfihc32.exe	101
PID 1676 wrote to memory of 3044	1676	Hjfihc32.exe	101
PID 1676 wrote to memory of 3044	1676	Hjfihc32.exe	101
PID 3044 wrote to memory of 4768	3044	Hapaemll.exe	102
PID 3044 wrote to memory of 4768	3044	Hapaemll.exe	102
PID 3044 wrote to memory of 4768	3044	Hapaemll.exe	102
PID 4768 wrote to memory of 2180	4768	Hcnnaikp.exe	103
PID 4768 wrote to memory of 2180	4768	Hcnnaikp.exe	103
PID 4768 wrote to memory of 2180	4768	Hcnnaikp.exe	103
PID 2180 wrote to memory of 2524	2180	Hjhfnccl.exe	105
PID 2180 wrote to memory of 2524	2180	Hjhfnccl.exe	105
PID 2180 wrote to memory of 2524	2180	Hjhfnccl.exe	105
PID 2524 wrote to memory of 3380	2524	Hmfbjnbp.exe	106

C:\Users\Admin\AppData\Local\Temp\d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d99f1e8aba2dc67275fbe9986e92a520_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\Gqdbiofi.exe
  C:\Windows\system32\Gqdbiofi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\Gfqjafdq.exe
    C:\Windows\system32\Gfqjafdq.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\Gjlfbd32.exe
      C:\Windows\system32\Gjlfbd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        31⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        36⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        38⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        41⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        45⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        49⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        55⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        56⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        62⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        67⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        69⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1388
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        78⤵
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        79⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        80⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        83⤵
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        84⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3352
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        88⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        93⤵
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        94⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        99⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        100⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        103⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        104⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        112⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        116⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        118⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        121⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 400
        122⤵
        Program crash
        
        PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5316 -ip 5316
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
80KB

MD5
de526b68639633669ef612b83e0d37e1

SHA1
c3ea566d8d70e59dde3bc300e8619054952e40db

SHA256
00439e0683c1d403b30a925e61d4703e9fd8e834bf691b397a4d781ca2d19bcc

SHA512
fc38b0778caecb27839fec5ccc89c8e001c3b7404caa3fcfbf530aa3b3561fbb755e908e4fc169d2408c4f682c87e21fe655804f48fdad308b07796540742714

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
80KB

MD5
9769aa718fbdee4789b117dbb2ee4813

SHA1
4fc666a37510a60086b3fc74216f8405c8119e94

SHA256
8400729d82e8c94779ff5c2b6144b78940549f06f0e0d7d685362e0d60a1604c

SHA512
0bd2237e6788023e83ca5f13896efb0c1c52ae2b00b7f6aa31ac038dbcf56198262a1844309999a4249c5b628f95d71fa36e7e4d21616040bf984d81c799dbfd

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
80KB

MD5
eafa0c4871405cc1bd05021f896cdc8b

SHA1
f00af75e02c8248a0f8842775365396c866a459c

SHA256
60092192580715982d3e9321cdff77c4e88d22680841842e02b057f2654524ae

SHA512
83e7696f31575409b43e584b8169043fa693a4e1b03613365f9fa4d1e5ee4570c865400754367e8eaa50d9734f2e0ce8384bf3aabc767cf60b2b5bfdc9d2d924

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
80KB

MD5
bb296d42fa9a614ff9a327e6deda6b3a

SHA1
893b0027e452954e0be1e79f90f465b1157d7557

SHA256
0d1b260823d8013e0bd8cc71d099b10b627e5ac9dd1c8dd50ea0516d01a1053b

SHA512
a95c24c2ae4f7e64cd0b9714a783e01482320a0da2bccc3cc722de9b3a6d52821f0b3ae40e89748d2cc90b0effbe00e3da113bb22716d289fb0303d3ced10a78

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
80KB

MD5
6476cb05dba1d13f7139123294006a45

SHA1
5fe82d01eaa8bffe2b1d0be80414e72b251af69d

SHA256
c040d8ff28e5bd85fdbf834450e7fa79dbf8b32767ef79818888d0861e7254f1

SHA512
fa09afed1fdb9c16d56aec6912332bc85ca7fe160aa10f7ef9dec0d70bf144eeac130f63778cf3e4072690ba48c7063bc663ef8d78b3cb0d35d06f1ff924d7c9

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
80KB

MD5
02563fdc4d2b9e4cbed8d78b594ea2a3

SHA1
23a6327c886232e1016b644b34cde656522efd54

SHA256
0084d5755c1eaabf151948357cb72f5eb21b10c3887af904b8ef720a3ac0c8bc

SHA512
057d069bd59db77340a82ddea04645ea434bb2c218432f075aabf68317cffe8b7eb56700c05830a945ce89cdc6f94ef8010be85a8b7e6d845a86f710dec6f314

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
80KB

MD5
8f997b04b804e079dcb0f637c7ce9e63

SHA1
9b04ac7b0a2e5451aa8ea3bb6df6e95539ee3123

SHA256
7820335f4988cdf4e6fae192b5488b2c87bcb8e9a75a7efcf017258dea7f7bc1

SHA512
255efd1d919918d89ce5d99d061632341dd4750b5925e695dac73fe972cb58a21025ea03acdd335d40abfd44919e5001f6a7a6acccf2d9a96568ba19521af078

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
80KB

MD5
e0ab1851047cf6f285f9e963ce28793a

SHA1
536cb1d06e6b0892afb237258173c266bf78a6e0

SHA256
31f5e993d886925b18a656968c16a1dc18b7fa31323f94fa25f08077ce8e98e7

SHA512
5cb9345b6859e5b243e58a4d51b541485f04d2f886df251b925f6bb352e43c6637c3a468de071462c6b9f6d2378def8804241968db3c6947fbce8dfd54f72adb

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
80KB

MD5
c765101457c5e6853c2ef7b905ff80d7

SHA1
84c1dd7772ca6f11f9c24f3f89ba59960d59e227

SHA256
adb457bbbe11a4838c487192cd7d2166f8f3866a3873419221f0863558948043

SHA512
c214e4d11fad8eaa98a347ce4183b25ea75042c80df595fa603c1a3e5d2b09824a1ecb7b82396341a0a0de6fa036603dbd3420c56ba478b896c5a5f31cb0e885

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
80KB

MD5
1060862395ac5a3020c1ee8c79495819

SHA1
cb77ec9d50d996b1a72b36ba1f3184d5d5e2fb12

SHA256
f2df97f1f6620fadedc101bdd01a4c77cccc9b707d366cf39ea3130c5aefdaf3

SHA512
4560a5b0f6fe4e89d0b3392f07cea4aabf8b9f33bdcc5d7508492c49394859459d47a1276e197f4fbb27fd8b6f97788427671caddd485883df3844d220657a52

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
80KB

MD5
6b59729c0ffc3bbd89d5a34631659c10

SHA1
9eea01740b260d73afe1fdfc371c0d8d6bdb749c

SHA256
67d2d34816dd6157d97437b7a22266ac958e426a1dc077b25789101bc313c4c0

SHA512
d5bda6399c2cc5e31a3c93b0a97017cd1b594d4a7570ebef0f702557476bd1edc470e4c38f4fd2fbc61e365956304aefc0e6fdb8c77828bb9c3ffb0690398f9f

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
80KB

MD5
15e2189a80e833da62e9d96bf694ed6d

SHA1
0a14ab1f42419cb12c12248e43c2a8ff41ae88cf

SHA256
a7925b89c9e37dda07d1de4d30f7d18f5167cf06d53556270b8a4b34e061ac6c

SHA512
cb62c183c02ba439ebde36691477075cc51344ef21aa55d692cc1b1e2571188e2e765143366d4673a5c009644d000ac4b6fad721ed918af5bb791bf44e6fdb4c

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
80KB

MD5
b38602a0022ebbb1272b828040940542

SHA1
0415701c1f0bdfbec4d9a55c764ec0a433c4deb8

SHA256
a241567728b8656db413fa9bfaa484ca5a4e13ff38c00434a81a5fd9598082ca

SHA512
44a17be2d0338e9f5c8f4c46eccfa852568931d3be60b0071a2681fdaa7969ac7f1b84490ccf8304acc67272dd3389713036b4dcf77e37e64c43a2a1988f1439

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
80KB

MD5
69efa1aa2ad762491bddb36331065ff2

SHA1
eee01beb983209bffa19f013dbdafdab9b5141ce

SHA256
506a523025e0e6ac3cabe3a2063f6f8bef800ddedcd953848bad52ae48322bca

SHA512
0948c4aa939ffd2961020d4c54f6478cfd5528e0394f2491a2cbd826eb36ccf582096328741b9becdce5b81e1617b30b2ab7c5f9484ad76c1c19b62a832644dd

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
80KB

MD5
00a9c7bb73819838278725da95c70e71

SHA1
0348e3b73ad612924f4dc316c15df14799896c20

SHA256
dfa809308f678a7c12eb6646d9f00013503af4518a7148f7d6be515a01b5a928

SHA512
9adfe564f49b25e010c84a7ce000a13ac97b45729485c22d61420cedd0c3b06aa23a57bbacae317d8134bf971000b85bedfef6c398753098e1e471d964d5839d

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
80KB

MD5
86d888728abbaa7c3478851fd5e80df6

SHA1
5ac5296dce2d02117a174076fb471dc89776561d

SHA256
85d2ca982e525cf2c7f0600c16045f7d802de060b70e0d604e23a3a666ac044e

SHA512
2d81b3e2b1d31453e1c4fc39c0b7e5a0f82e3d55020a19066208c291f674fc02be690ae17af0745cfaf65252a2b5a1399728fb20cd9fb3abfaf88680972c5fbd

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
80KB

MD5
aa723338636a827136900d07f1dab4e7

SHA1
c6483cc4ca1ade1a8c7695c2fb2409f26667243c

SHA256
a6de0b11a736ceedaa5648749c5cfbe98d3a77dfc9e64bb9f61b72399c0d3b9f

SHA512
593b78f776c3b18df7a98a21c04b1756e9f330d02bcf18b4450bd83cada2ec112de2f2ebf2847ea8b7addb6d009cf9174cdff47979acafebe9d722db39317606

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
80KB

MD5
7f6b2d1b57d0e1560d59bf5dcc47cfae

SHA1
327625d2fa852f5488761f83ad4c882261dc68bf

SHA256
a0c46c2029508434c6894085060283ad938d049c85468eda13820cc7736a4363

SHA512
0b122214904ca22340d5fc91d9122f022259ec8cbf94ead53520d083256e70a3b9936da45fc6875b315b19c6df3705832871e71059fc97fcec5109b6790fce7b

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
80KB

MD5
5265fc856903bc9898381079db5dba6e

SHA1
585acf0b9fa924cb1114ed8c128a80854a14a6f8

SHA256
de397c61b39ff9634aefd181d5a367a6f70e15176f76057e8da0d4d5ddc3babb

SHA512
91550419857dc6dd1a788f9580c5d8514559b8ceb54717916fd5a65228d18bafbee7de1101711f0909fea5dd8d0b9fec8a765eb380242eb66e7c3286f1b50594

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
80KB

MD5
895059cb81c44c795c600f4da7af903b

SHA1
4bd4de6f4d8f7ca4b912ffb6b35d3dc5570dce1a

SHA256
1a6d0fb8e5dccb8b4a98f08048765463ea70e4b49a47562cbcb6373b4c37b07c

SHA512
8628c82d41deb1352cac47a69e8b4382d478dd11ead8c27ee5006df7c83dc8c336f698d813522a253500902cee6a0a0a628c5f53bd551ed8127ccc82e730584e

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
80KB

MD5
464b662476f381088bbf0b63c4df2cd2

SHA1
aaae852ec77aad4bb5cc8461b2b62a6ec796423e

SHA256
6fafc6f015826824fa5cb11547cebe951a8a0dc64b93b0791fc767f17a002966

SHA512
2e6582a0c3c011f47d23e289699127d0bb303500cb7633b2ed3e399b7efca2e340c40fc624c8eef98c6049aa47b61f6b98bb0a4d3cb15904a7b57796fd11b03c

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
80KB

MD5
824d2e10726721e43221383fa59d0b95

SHA1
e999dc475191558670365b8b455494ed11e07dfa

SHA256
972965b808a493009bf7c108906bdbcd50d93dd175d6e15d4fcfe69b70b6ed12

SHA512
3b6c75c6c113b2471deeda9d49f38e21a2427dbab5d899edbd9c0e23c0df5e6bf15596bd657db90f108489a9481c1fb4c987768146f277c0e85949487af158c0

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
80KB

MD5
5ebad0fc52396c2099b6a15bd39aa632

SHA1
d001b3cbdf3213ca5ec5c275284d089dc888aa64

SHA256
3069eac28285225152277964e90230de3037073ab2773d1f3ca42de3a20fb803

SHA512
090c7fbe87f7967b5546abf3f419996911b54117c0e18e09a45173a4958a6dca20375587633098c26c6ed22644e869c390830364f5fc12aace264847067470a0

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
80KB

MD5
65a92d2a2878cd8cc1be96e7d8c25d34

SHA1
2ef4fc66f2f821cee651f4d5ff340bea131432b4

SHA256
87d187350369f85eaaa9b86bff12910e368c085a12a5223b42258e4cce9ebdfc

SHA512
fc6f211e0036276b7159cd0c5d46aba67b15323c6c0ffd38330b1a2fc005cc01095c395f2813cc943f74e1f39eec5d26a62ae9c052dfce7222d6320bf4328b06

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
80KB

MD5
5a72f0c8f2c8fc58ca6454dcd8e2abaf

SHA1
398b30b06fe803daaed8c004f57e754d999da60b

SHA256
865d7f6455c86a0f57294a1a3c5c025ab2330c272a5809e0638c171c4fd843e9

SHA512
b7bcb8a655e18076b6465efb9667a37653a08fe8be3a3dd0a6d9252e705c9507bf33fd49b40dd1511213c2d5fd39b44799833efe1bf267595a00366ef5fb8c7e

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
80KB

MD5
8748e5abcff59ba324505694965f2fd0

SHA1
59de6d613c65fe6793a8f4d9b4e2ef32ff7d22a6

SHA256
2256fb2a06df739b2179f923f6c5da5d2a4bb23e2b9a3713b70b7c73e33fb949

SHA512
4b5a83ad0d4c88389ddbc2785b0f97897828b5cb5840095e270c3c8dc84c4b22758e58bb1695d579131690d947d487c1e16a4c930cbca62667900e7fdcb09d28

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
80KB

MD5
540d51adc8f20b66d0506b0a8ba65e2c

SHA1
baf711d202d1cbf1eb16b35ef876d7b4df166ed7

SHA256
4d8c4e09cffd703eefe4e9dc074fb0c9ae3e2b276df612a7b94d00357118f72f

SHA512
61c20769977c43e8ba827adeecb10e16a91d10e4eb4904b23d95d819ca2a00d8c843b8542c59320421365a8d415c4bb8c9cf357b5ba3831cfc53543964ea3a62

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
80KB

MD5
21f1fa45efda698ebe75e4826ea0917e

SHA1
1c383a450475683fee8f4f37d375d40e119782c0

SHA256
0e544d4e102073d0aa9283937b88c79f288b1415b57adb5938c17dc3e73ea98a

SHA512
abcf39ee6b7604094607c7fa688924df6f78e1c90dde8938c1f636b60f05370b211f470e68380e71cc2b87063aecde6bee5f44e6d9e122f7c20608261a6f1337

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
80KB

MD5
92fd4d0aba7bc53e6bfcc7881b9141f1

SHA1
63e88c3c67f8b9c511864f452b7d34d82b3af1d0

SHA256
e5be0beabc8fd1cce36711fcc32c36b8414d56bab5fc792675eef2e206563bb7

SHA512
d8738d2a062f458e3e5487aac643294c42ca31e8640bca46284438dc333f4a3cc86f6075c9fb02c2863fb800b9e83dd0ece5f295104eb138a053dbacf8dec020

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
80KB

MD5
338f4d33ff9985efcd3ed5177b90cf8c

SHA1
81f99708360648499c95fe95a1e3bb0cfc6195c1

SHA256
24ce41cf475caf6dbb04b367a3d493d3c90d8d9732f6fe5643d4bb4a029ec182

SHA512
33e39d421eb3b287a58107db7b4e0c3d290aa50d94a84c2ab300ef9065188235460f5f2e225974559478cdb996972342a40a056e60de1dca65ea42d81e282418

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
80KB

MD5
53e9aba1b5fe98cdf12071d30b64adfc

SHA1
a1c3ce4e8579cd5870733596ed83af4f021e32b6

SHA256
e85d54b27f3f8ead6a08935946d4363d28eb006e533f19a66bdc3e892285a61c

SHA512
2efff57de4b27e594d1c0dbbda7bb6cc12b55929d73883785afa64f2aa0a5280b817fcd4b9b3d1700a847da22ceed16eb0b89d56f2f15ab3ca62592e214b1273

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
80KB

MD5
9b5be5317ae0cd435cc17c5a0e6b2b65

SHA1
cefe00650e2879e9fbf9ab3976e3359f668c0f7d

SHA256
f430622615a3566ad06200c01967dc933542684d03d80d3080f795e8487d6813

SHA512
3f7e3184fbc7d8ef303c9b06ad03a3b5f2819cea351067a3b2bfea282dd35a94b18630f8336e84a03248efeaf3612b292224201feb6a9dafb096a180e9a577d5

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
80KB

MD5
bfa02e7edb644477d908a96fa31067cc

SHA1
b2f12e8c74224643c7391b6dd934708c1d3af8a0

SHA256
16887d3fe74bfe02384b27deb5e3b556f39e1a38cfdbb4de28421d5884993716

SHA512
6472f1299c440ed10adcf4d6b1ade8f39038b5e48de5dc1f3a8b1e0eeff451e727a69ae0482da67d39fa4b0f995eebbb4bbdc6ad3b3201ad3c3460ba98a931c2

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
80KB

MD5
49cc11b3ec275663961a6087ef78406c

SHA1
7f453aab8ac5c220893d91ba27172126d45972f9

SHA256
efc9e3ee254cf96a8dddb0da5f87fc4674b35125431a7d17b17806fc645b1ac3

SHA512
ebe860abcd2e676f1fb717e0eb6874892da737cf5877ba804422a20c8de99d368b21a724f8dddb4e7da27c4b98baa096128fd545bba002fd5c308ff184ef4761

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
80KB

MD5
60ee1b7f38bda648a56968e67d4466fe

SHA1
bd0460a58f5f99c0d3461b1e420651bb9c4decd8

SHA256
5c7e02a7db00e7a3cdc9697d84f0e258a08bda8f308552ab2d5fcf66af13cd73

SHA512
c966ed6e932024faed03afe397e07eff01785fcd7412943bc9a4d5e3d9f85dcb2c1913e34ffdaa27b7d1ae1fbea9857f7f924c1ca4ef99efe23f53348d909487

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
80KB

MD5
324e5c3856cfef52901f3fad7f65550a

SHA1
150efbdeaa136aaed5d5f90212e70099d364fc2c

SHA256
18da4797ad53e0d7276c40b8c5e9946653ac8e7eec35766e2b3a638b1f987a38

SHA512
175dc8f390f13d98bcb2aaeb2d02d5604ba13827e4650c247b084839925657d75667efab6460e75981c35b5d688373489a748737bb394ac855543891a4003afd

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
80KB

MD5
313e8f6e867368f50de41e321e2fc6ed

SHA1
d97c17bcc7494c2a3d1ee5bc60b8ce3a9a8a4ee4

SHA256
63bdc4a6c9635b6c871b2bc0ab8c4c80e82f63f139f99c50eb1dd7d4688e8ea9

SHA512
71972bbf0264581e167667ef301bd2d202082630656d59d2ad495cb1976e797ef4ca98db426665ce6821b4b86b67ca46deb7f86c1de4e00b64e4d303e67ec4bd

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
1f16de8c7628c724a6f169c4c2886cfa

SHA1
78fd5b29d306839b753db9e3a0a2cc26cee09c36

SHA256
28c8fccde9d1a4fada752a238efbf03a6c07b76067811349a489c0f6f02e8dfc

SHA512
40085e860173a0ba15d31ff8efce1abdaa59888c9a754aebf9cd3795799ede6df7c03a3b86fb84479fdb585ab66bad70a5a55e05d5ff32ebf81c2c15e4952a52

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
24a34bb73d97a3014c2505dffbcf79bf

SHA1
4fcd8fecff29be491b04601ecca34746a6a74611

SHA256
d254a1f5df608af258a0fe926c4fffc2639cb951235a18db6a22b62d8115ffb8

SHA512
af01707d962806d99865d6fa799d80ff8c038473bff01b67aef4db2e04b55725156ecea61cf908b8634880a40e61908d71c26d766d87cae3973b5d8c95c6d829

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
80KB

MD5
2b5e6cf70c6fdd5745c7fcca6af6a770

SHA1
b4389d8cae26e2ed681bfd95128b0e01f8f18f61

SHA256
9278e75e0ebe48b1f69aa994fb977e5134e1614e4edf91cc825e2a415dfc160b

SHA512
863a98f98f2ddbb36b852f255a7d2e5eb1f186170fefcbdace370c6d09bbf7da6639166273dc80283500a8304d13296a8ac6408bc399d4c96a608642efeb1dc9

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
112c116cfb559b0b76c41a2772af826b

SHA1
61f8ac3de9ccb5b5d779aed8cef3c49c87d4a287

SHA256
427550a145f5f3fb13ba99405aa0deeee51fc1776e042d84b6209fcf2b2e2977

SHA512
9bdf917ae0e3d366f07380a0281230934269c6e3b26b6b16c5869308bfa2a847ba3f3e0e72cd98c29dcde5d371dd8b151b34bc92b89678584f347c1dc8156dd4

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
80KB

MD5
d7f8115a678a229ed2864ce2f937045f

SHA1
c8a1adb86a4bb765fc15834ea97aeef4b944e353

SHA256
d8ad271b2df8465014c5b37f6f2361ff38572a3dc53c916faa8fee35aa87d413

SHA512
038925899f7d9eb3063808811993251141ce06c5a0debbd3e541a26c1baab069f88f7895522c992a32d942654c296a6d2ef21a07b5ac7fab38bfde7248f77e3b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
b47ef50da85a307011b19f34f6045eab

SHA1
9b4d330f4ab3c45507348a4ed6c554e25062979a

SHA256
8a23574c609fb49a9aafc061beb30c55c210d7c6921e5a16ba388c0e0874966c

SHA512
c8c8efaa106f438f287c5d55b97f6b2f8b2193c682f6c55a283919d3df2a0e0f799d74c07e74ffeb6a3ec7a74ddba526672a21a6ea3a57ee1534acb0ecae6d2b

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
80KB

MD5
b03e1c45bff99cb507d5226cc18dd96c

SHA1
5a7cdabdcf0c2b22e0b2c61ea9fe750cec3f938e

SHA256
5f092da2a3b6dc9c6eb8732b3514f914ac8288a4e42f9ebb1076397705e7955a

SHA512
ac2d707012566c880577958fcc55150b2c2beef7855700e5a1043ac8255bc652cafb3df22f1839b25a4c150aca3efbe3f1604aacfb2ddff59aa5fb57d03817f6

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
80KB

MD5
2999ed39c0dd2706c4ed527b8972d052

SHA1
472ddff11f4987960999caaa0d4d9c42caaf09f3

SHA256
564aceee8eb56acba17119f0a92d677ac8e45b847276b9025481ca5a25d2e514

SHA512
1a62b2fe57d9623e8318fae06bba7caf99675afd4ffd27245bb4505604a1a94b39f86968a38ef1c58252f64df7335b0e6676730c5c1a5a00778f73d4546c7dc1

Download Submit
memory/208-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/208-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/812-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/812-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1648-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1648-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1676-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1676-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2332-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2332-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2524-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2524-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2712-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3372-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3956-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3988-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3988-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4460-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4460-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4712-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4712-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4712-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4744-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4768-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4768-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4960-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4960-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads