15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac_NeikiAnalytics.exe
Size

80KB
MD5

2a5e3825d113e079df63b5951c05aae0
SHA1

e17cf721d3e31c91f8b76aaaccc4bc09e90976c6
SHA256

15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac
SHA512

5074b1aca89d3f132ef8efd1e9821ba9010664a6b461afc7e1ce289df88d0cca8d3bbce848bfbce4ab81bd4f005e21e21b0238c0d48f9cf61a65d2162580e427
SSDEEP

1536:uyAOlT250p51GKDM2L/J9VqDlzVxyh+CbxMa:zlY0dF/J9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe

Executes dropped EXE 64 IoCs

pid	Process
2308	Gbcakg32.exe
4404	Gjjjle32.exe
2268	Gmhfhp32.exe
4264	Gbenqg32.exe
3952	Gjlfbd32.exe
4808	Giofnacd.exe
1848	Gqfooodg.exe
2008	Goiojk32.exe
3664	Gfcgge32.exe
3192	Gmmocpjk.exe
5016	Gpklpkio.exe
3956	Gbjhlfhb.exe
5092	Gidphq32.exe
2980	Gqkhjn32.exe
5060	Gcidfi32.exe
3428	Gjclbc32.exe
4204	Gmaioo32.exe
1124	Hclakimb.exe
2868	Hjfihc32.exe
3552	Hapaemll.exe
2396	Hcnnaikp.exe
5020	Hfljmdjc.exe
2844	Hikfip32.exe
3468	Hpenfjad.exe
3828	Hfofbd32.exe
4068	Hmioonpn.exe
2464	Hadkpm32.exe
4440	Hbeghene.exe
4356	Hjmoibog.exe
1264	Hmklen32.exe
4320	Hcedaheh.exe
3816	Hjolnb32.exe
1640	Hibljoco.exe
3716	Ipldfi32.exe
1244	Ibjqcd32.exe
2028	Ijaida32.exe
1844	Iidipnal.exe
3680	Iakaql32.exe
4004	Ibmmhdhm.exe
2092	Ijdeiaio.exe
4420	Iiffen32.exe
4056	Imbaemhc.exe
4084	Ifjfnb32.exe
3396	Ijfboafl.exe
3352	Iapjlk32.exe
4380	Idofhfmm.exe
3460	Ifmcdblq.exe
4592	Iikopmkd.exe
836	Iabgaklg.exe
5012	Idacmfkj.exe
1912	Ifopiajn.exe
2984	Iinlemia.exe
1680	Jaedgjjd.exe
4340	Jfaloa32.exe
1696	Jmkdlkph.exe
2620	Jbhmdbnp.exe
4532	Jibeql32.exe
2580	Jmnaakne.exe
1080	Jdhine32.exe
3900	Jfffjqdf.exe
1192	Jmpngk32.exe
2000	Jfhbppbc.exe
3128	Jkdnpo32.exe
4116	Jmbklj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gbjhlfhb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6032	5580	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 2308	3252	15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac_NeikiAnalytics.exe	83
PID 3252 wrote to memory of 2308	3252	15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac_NeikiAnalytics.exe	83
PID 3252 wrote to memory of 2308	3252	15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac_NeikiAnalytics.exe	83
PID 2308 wrote to memory of 4404	2308	Gbcakg32.exe	84
PID 2308 wrote to memory of 4404	2308	Gbcakg32.exe	84
PID 2308 wrote to memory of 4404	2308	Gbcakg32.exe	84
PID 4404 wrote to memory of 2268	4404	Gjjjle32.exe	85
PID 4404 wrote to memory of 2268	4404	Gjjjle32.exe	85
PID 4404 wrote to memory of 2268	4404	Gjjjle32.exe	85
PID 2268 wrote to memory of 4264	2268	Gmhfhp32.exe	86
PID 2268 wrote to memory of 4264	2268	Gmhfhp32.exe	86
PID 2268 wrote to memory of 4264	2268	Gmhfhp32.exe	86
PID 4264 wrote to memory of 3952	4264	Gbenqg32.exe	87
PID 4264 wrote to memory of 3952	4264	Gbenqg32.exe	87
PID 4264 wrote to memory of 3952	4264	Gbenqg32.exe	87
PID 3952 wrote to memory of 4808	3952	Gjlfbd32.exe	88
PID 3952 wrote to memory of 4808	3952	Gjlfbd32.exe	88
PID 3952 wrote to memory of 4808	3952	Gjlfbd32.exe	88
PID 4808 wrote to memory of 1848	4808	Giofnacd.exe	89
PID 4808 wrote to memory of 1848	4808	Giofnacd.exe	89
PID 4808 wrote to memory of 1848	4808	Giofnacd.exe	89
PID 1848 wrote to memory of 2008	1848	Gqfooodg.exe	90
PID 1848 wrote to memory of 2008	1848	Gqfooodg.exe	90
PID 1848 wrote to memory of 2008	1848	Gqfooodg.exe	90
PID 2008 wrote to memory of 3664	2008	Goiojk32.exe	91
PID 2008 wrote to memory of 3664	2008	Goiojk32.exe	91
PID 2008 wrote to memory of 3664	2008	Goiojk32.exe	91
PID 3664 wrote to memory of 3192	3664	Gfcgge32.exe	92
PID 3664 wrote to memory of 3192	3664	Gfcgge32.exe	92
PID 3664 wrote to memory of 3192	3664	Gfcgge32.exe	92
PID 3192 wrote to memory of 5016	3192	Gmmocpjk.exe	93
PID 3192 wrote to memory of 5016	3192	Gmmocpjk.exe	93
PID 3192 wrote to memory of 5016	3192	Gmmocpjk.exe	93
PID 5016 wrote to memory of 3956	5016	Gpklpkio.exe	94
PID 5016 wrote to memory of 3956	5016	Gpklpkio.exe	94
PID 5016 wrote to memory of 3956	5016	Gpklpkio.exe	94
PID 3956 wrote to memory of 5092	3956	Gbjhlfhb.exe	95
PID 3956 wrote to memory of 5092	3956	Gbjhlfhb.exe	95
PID 3956 wrote to memory of 5092	3956	Gbjhlfhb.exe	95
PID 5092 wrote to memory of 2980	5092	Gidphq32.exe	96
PID 5092 wrote to memory of 2980	5092	Gidphq32.exe	96
PID 5092 wrote to memory of 2980	5092	Gidphq32.exe	96
PID 2980 wrote to memory of 5060	2980	Gqkhjn32.exe	98
PID 2980 wrote to memory of 5060	2980	Gqkhjn32.exe	98
PID 2980 wrote to memory of 5060	2980	Gqkhjn32.exe	98
PID 5060 wrote to memory of 3428	5060	Gcidfi32.exe	99
PID 5060 wrote to memory of 3428	5060	Gcidfi32.exe	99
PID 5060 wrote to memory of 3428	5060	Gcidfi32.exe	99
PID 3428 wrote to memory of 4204	3428	Gjclbc32.exe	100
PID 3428 wrote to memory of 4204	3428	Gjclbc32.exe	100
PID 3428 wrote to memory of 4204	3428	Gjclbc32.exe	100
PID 4204 wrote to memory of 1124	4204	Gmaioo32.exe	101
PID 4204 wrote to memory of 1124	4204	Gmaioo32.exe	101
PID 4204 wrote to memory of 1124	4204	Gmaioo32.exe	101
PID 1124 wrote to memory of 2868	1124	Hclakimb.exe	102
PID 1124 wrote to memory of 2868	1124	Hclakimb.exe	102
PID 1124 wrote to memory of 2868	1124	Hclakimb.exe	102
PID 2868 wrote to memory of 3552	2868	Hjfihc32.exe	104
PID 2868 wrote to memory of 3552	2868	Hjfihc32.exe	104
PID 2868 wrote to memory of 3552	2868	Hjfihc32.exe	104
PID 3552 wrote to memory of 2396	3552	Hapaemll.exe	105
PID 3552 wrote to memory of 2396	3552	Hapaemll.exe	105
PID 3552 wrote to memory of 2396	3552	Hapaemll.exe	105
PID 2396 wrote to memory of 5020	2396	Hcnnaikp.exe	106

C:\Users\Admin\AppData\Local\Temp\15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\15d62fbd3b9a200c657c0c9e0a40b80417bfdb4985dfa2cb61256c292e7578ac_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\Gbcakg32.exe
  C:\Windows\system32\Gbcakg32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\Gjjjle32.exe
    C:\Windows\system32\Gjjjle32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\Gmhfhp32.exe
      C:\Windows\system32\Gmhfhp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        35⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        36⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        38⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        40⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        43⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        47⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        57⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        59⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        63⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        66⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3260
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2956
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3620
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        70⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        75⤵
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        76⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        78⤵
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        79⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2204
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2704
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2724
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        84⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1484
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        86⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        87⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4080
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        91⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        93⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        94⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        95⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        102⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        106⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        109⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        112⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        114⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        119⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        120⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        121⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        123⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        127⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1744
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        129⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        137⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 408
        138⤵
        Program crash
        
        PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5580 -ip 5580
1⤵
PID:5904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
80KB

MD5
38c2912f61ce0bfeaaf3a63499894490

SHA1
12ce9bfe1e060a97980328f2d452ea5baff43be6

SHA256
605750b67cc4cb3648478d45fd0710cbb6462182948b18d18bea8dec288086fd

SHA512
09954ca1aded58c4994aad77619d4d784e03786012bb730fa3a3ce56144a02da8b8d009647b9c503a8aa35973f57d99ef0a28563fc92272326d59d2f0ac86aec

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
80KB

MD5
3da2492f2307dc9d93312349367f7371

SHA1
449988aa2fcdb4125fed1c0e6bc4f0314964125c

SHA256
d7d63c3c4e0ac47f49fd8ac723beb0ed32ae458ae2fda6e368346188a4ccbab2

SHA512
cf0f015c862033948b40a0d7e6ce5ccce26e3b3d51b4616397d60d2b1ce2462bf3731c363859fff50574dd2bcd29b4c209f6811d18b6aa951dcb89e8852c375e

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
80KB

MD5
12d442a3fe6fe8ab4296a9c07c4ebc83

SHA1
c55443109bfb0a908f60b38039bf94c24cd051ab

SHA256
43e942918bd1693fc614dc6ef2a4ad8a56944a51246842f359cf937921667b46

SHA512
f126f6b029c13f45453a36fb86015ae625f6ed316c9c9733b529678b230dae5986e699304167d15c0f78e702ee223450813ad8c2a998b30699470b4c566afb66

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
80KB

MD5
3c99e5c199077e5ad250064bd77b3bf7

SHA1
8dfb3ba741f7b4c29b2e5539e4d1b4e2360bca8f

SHA256
5357e4bbbc48b026ba23941bc3dff4aff4abf4f1faf3db8720afc6325305ca6c

SHA512
ddbaefe0a8cf7df2f28c36c900f0e16625f3f50c55669c5a8ef9890e609be8249991edc7cbdc32043a54b4ad4131c6689d62ba3897b0658a5ebb17409e2006aa

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
80KB

MD5
894155d251a26a7ec6c088a60419542d

SHA1
70bbe229ba26dd22600b832ac2e6e02298991f2d

SHA256
b9175f1c3dea591a1edc89eabd451f227d96b908885b6795bebaa9dbc1305995

SHA512
365837dff47700459a6fd4a3ee679c2c47796d0a1f344782dd71b0076b2a46480c8a07f96addea2ea37af9f274359cdaae8af56913e9bd633d13202f1cd55cec

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
80KB

MD5
b0dcebccea9f03525e9264e9aa6cb357

SHA1
48be0f76e93aef8d38a6dc680545a4be9cbb9501

SHA256
84ade91314f84e160fd2e2b7720592ab9b9275eb47f4a2cf5ca0a24f19efe160

SHA512
19d940523335ed6dbafce8ca38969f1c773faaad47d9832d202b23999e68def86370da3ced5179e4c52e8403757eff4a53df744633356ecbebfae027137fbe66

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
80KB

MD5
8cfd37e1d471fa9adc3929ee0fe83570

SHA1
2e977372a4301427c99455d63aca0b477057c9b4

SHA256
3ac967980b4ab7c8037e55c5df20db51632f11db7bb77a762a38837d3cadc0fa

SHA512
298a492560195621edf893c80757f255f1fe3eabc52bccf26963e22f018f14168ccabf38f882a1ded947c9757fb2b482a6f27135f048c92090afd172fb884ca5

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
80KB

MD5
aec6c164efd706270ee6f9a9b55dd70e

SHA1
d31ddde58d82bbec0aac83d65b3e017252909a99

SHA256
0b69adf72bc696405146fd1c11f0a82b3e25ed1286b6d5e5c51ffc607840dbfd

SHA512
e166c2c574b97fcc154670f2cf5e9b3372f02756a2fc5ae8fa0e7d4c4ccf2cc0379e9dd48ecc3bb7f9ee16e4b229427efa2ffa245c91526ed4f81e37ad8f1c4e

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
80KB

MD5
212916759d407cc756731778fb9bc363

SHA1
7a8558045d9af1f6649256b1bdd9104d7dcea201

SHA256
bde788aa1d61f451ec091bd65758df9f4ea7fd7c90ea5e1a00c9b5f844b24ca4

SHA512
6ba210238be30faa334c8898204020cfa68be680444c71eba8d2326c5195ad9d701688db0dbba36c5b63e9310822debc7e5af32fed739dbbae11875904341c6e

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
80KB

MD5
196a7e1c25491a168392192b107e46ba

SHA1
570135098b9b5e69be3a5878d24ab097a66f909c

SHA256
e3e1976246e5caa8d51eb9c4b4ad8f8f3407f52c020c970aabebf07ed2dc64cc

SHA512
ba553bb64e1fa096ea80b9fd2822c40f7ef96495841605120d18b83bb7210deb8fe70be5844eb218302b25ccdb1d576a3d94e58124534aad1dc988555bac2d07

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
80KB

MD5
5c54aba05ead43add5a9d314bf6ccd31

SHA1
3d7dbefd7b4005ae2cee12cd67358e2fbfafb12a

SHA256
b50599a677afde502e26b51a499bf8c0bee1d9a392859a54979f98fc7650f159

SHA512
d6d7c933f2fac73d4f0bea90b8a3593038abcdf3cc4e00d466fb8ea9cf705b6fb0b2c342beec701036c1ad849f6c97cb472956da52d9fe850426f1cd431cc947

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
80KB

MD5
62e3ca370ff42c9d8bcf9e41ea233d6d

SHA1
79f07e957fb66858b84b1fab3737b130242a52c7

SHA256
7ac7960083c5bb070ea6e0c47049e2c913a552a7c3ffadad58193c6a95c8268e

SHA512
227be18126f721ba76153b799273fb1035f54037e6113e9b97181c93aed8f5ec4e5b61890a026e824198c64656d3c7ee26117a9ff8307d0cb4801ebf36816446

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
80KB

MD5
e09c70a1e659a8a5f8f5ffc0eb95253b

SHA1
3f138517aeef3e48fbc4697d33f16a64d0f9b82f

SHA256
24b839dc6ce8d81dd8ac9d610b9b806be7b0632c9e1142dbccb6eb07d536c6f5

SHA512
e9ad533f776a2a371c71dc975c8316b3ce1b8d547b3473c02f8914f9830253bad2f9cb01f08c897ef1921922d6813cb7dc34cce76615147931c0696d19b8578f

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
80KB

MD5
3b77fd5ab9089c6ee2a6fe9c492cb831

SHA1
73bcd4a765c090fc79383b2db79a18c3b759fe2f

SHA256
8bc40f906ecd1e6cb82f2d3e0acb42373d182d79e8dcccc94e579d04392ffce0

SHA512
562d387ae432d18f5cd74ad7ae93ec0e590da20edb08118e05d43c1471b490149a47089610caa3f67f8dd86f1d3d3456ff04faae0a70e557b6d195cdcdf01547

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
80KB

MD5
268e607b0860abfa9a5c3687bd2b8e70

SHA1
36085ba9384bd5167643d6f423de75beafa562c8

SHA256
1cf7fda017297acfa4165238445247885022f6c000fc2089243ff4efc68764d3

SHA512
15b435217197b4e06ff72c45c7f94b8cbfb5cf06aaeb3ca8d25b4080493965a8c163c641d2f33b633b3b01f2130117577b82266b061c39634ec03f068e0b0d0e

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
80KB

MD5
6b855c4609ca0c6dc7d20218ffe188a1

SHA1
92c7812cb945e74b9264ebc3aa05e50eb3f0cbec

SHA256
ac80cc9c8a27909a41a9eed5fc74823f8439a284e5a2d9db5b079f7563b9c7e8

SHA512
a2c015be0aac4b292cfca5aab29e6aa8aaf3cf4b13eb0191d315aa378885fc0386885fcb6f3d87bfb2074a4b28a83292d127cb80ee5fd8c1d428fc719190dbe2

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
80KB

MD5
e3aca8506ae99d1331625832d7d5d3a8

SHA1
b13f3533d1bdc7b1a5e779187941917ae6fd9ed9

SHA256
5a6d81e216188d1e186a6121b0cd73b45fa120347e8cc102687d34f8e3323f0a

SHA512
096cf3252fc0c249e9705025bfdb44b407829f7267a823bbe6475141c59b23a82f21a76f4e9b28b8b0f9007e1f339ee6c55fa981fc0f3ad3c3d2280360a35289

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
80KB

MD5
e904b1790e85c307def1c3a74336885b

SHA1
9a798006f1c167f8e6a33b4bad2eb6e1e4138dfe

SHA256
ac8a636522b6f20ff53b30f1b7029b878b56e2a7d58953b1cc858507fef49c2b

SHA512
9600dd1db528783bb5895b57e04f89ee321162a22b9a72314862f6b8c1b4689bc8f7f0d4d7b7d9c551ef5d018f5d0599ca97a0d19f75a8f970524b7b4706a63c

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
80KB

MD5
12e9f42065ab3a3e7d1bfbaf44f782f7

SHA1
b3388f9b967dd227cebe812ff124b95a7c60962b

SHA256
304b3966db3e8fe1e013946f8538ea04135e622242b0b04c1de6a1269908bb11

SHA512
e2c09720dc9833d53ba9758e7ddcfec0f2ee4c51122ee7f1ce30cb8fa9e52395148470d6c485c709fd9ee35857b01dde9ebdc48d910889a30918c02070bd94a9

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
80KB

MD5
3fd49346e4459eed0b34fb7ee718ddc2

SHA1
ec5084509fa28d2d3ef9ba5cdce91ec9b9bbef31

SHA256
44dca3464afee91dd21d4a07eeac9bdde30a0822782cc2a3007b16867df20d8a

SHA512
0b429a9f995c22c761563b51143e8b006cead346cbbc7482f03ec71902f53e752139fc99631be5ca23b428bbe862e0e8cd986f6b0db0a8f2a70f5965db2cdb7d

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
80KB

MD5
da0942c6bd6808add7581d97a7e7b925

SHA1
72f8b7b1b724c8490beaf29e1ded82bb0be10064

SHA256
4c8c81fb0912001e44230d7537c53c5943542e5d0c1de5e8d00df1031a152f47

SHA512
d3181ac9b3be487b254b6a059ce16128b13dfc17b3e31bd59c7d45012fa87ba08d1065e9b62ec1f732b7bd183b09c29f9d5fb23bc3809f6ededd19db243271db

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
80KB

MD5
be9f979346cd00fa7f5b32efc28bed15

SHA1
1c242cd010cc865629d6621629d45c62e54fc67c

SHA256
4a5ea6c9ea09b705a126d4c4ec0d7ec5b4da61a7036b97bda9685b2cdc271683

SHA512
ec070cab96cbe38199c7c8fb764cf29ac758cb2a55a061acfb8970346cd59a7f529a3bfaf62befd4ac5700c04d51b556608aa16027dcf055a05f08c59f9c5f77

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
80KB

MD5
01d0e2950788ce57fc0227d43cb6f75d

SHA1
638875267358c1d9d3fe92ea56d14d30cb8cef44

SHA256
7712fc065b9cf02ad0893e30ab217e22f2f08ca87fc0e824d5b58074d5590989

SHA512
7bd0a0119774d6541df47a4774abd1fb9db623c3c13c90fe4fd18c241c8187dc979b8bfcc53c3a8a8f6486bf0e5fea37378c980f84d423b1882e0dc80694fbfc

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
80KB

MD5
76b98c0c7c213b859fd374191cbf8653

SHA1
8425e487e98589c0d96e4fe01664973dcfa4cd2c

SHA256
de092b9e212963cdb56b212fa58c93dddbbf0f4f1d95188fa2c4472f8aa8b02f

SHA512
228a4c639cd4ad8e4ca5428c568ac96fd1019b6a31b1e3223c460340cf39d18f1237b0fb8d8ba22dc93d80d3b3efcde1d14c3a85e82a44da195b0d42efec0b32

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
80KB

MD5
373de39373e1f52aafd6d83c0ec00d0f

SHA1
56b8a35bc270bb1e3c28184f9a6ece148c006d1f

SHA256
e4ed936e4ec9aeaab0cfdd957d93d4c89f1f4a6efe473ecfa4bfe2ba905811aa

SHA512
012f66ba68d537a1b55eba02c96cd69e6084e8d711c59fc28e1a6fa6c50f8e220bb4407fdcd5a87b247ed527a6dde98d0a5717a9eadc3d3ebbe636448c2a4ecd

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
80KB

MD5
b2c57823e188127bd76e95a0214dd487

SHA1
58a0e0828a7318b28a161eecece2088f446086ef

SHA256
d1b8baeedd1f42263a41e4a0ba98b711fe4ef34b4b334929d4a178f58c094843

SHA512
a0a4eacdc2caac147c08efca3589ed0faa3dbfdd28e0458129ab70738986f2d347135903ea69cf489e6e874cc1e9b5f1683a2f585eb1e10c18a3a0788ca46d4b

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
80KB

MD5
56c1dc361ea8c11d4da91738c1261ccf

SHA1
9a6ab92f3dd66213c07f9e64cc0ceafbfbc8eb4f

SHA256
6f40d50c4a88dd79060e05faa45bcd030eca8cbac20b0e0dd8511e75dbe5eead

SHA512
eddffa7fdcdb6a1c7d02eb31d203a7e3d428409660e831ae8252500711f05a01eeb3343bfd62303280333cd54780647645317d18510ac45a96dbb039220f52f8

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
80KB

MD5
578fc52a47914f66420cd863d74ef980

SHA1
2323d4a6d36d8c18a46185954a622dd198959469

SHA256
eea177a5f90f56addff48797b28b30553473c0c020938ea501c39e3792e6910e

SHA512
2eeb54da9fad8ddde79251e549ee033fd9a73947dabc5c2be78a4c6d25a2ee7aa72881fc799c0d19e03337467ba9a30dd7fd209207e42227670b15018cc00f36

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
80KB

MD5
22ae8d29fbeceb5c3cbbac059952e906

SHA1
940f80daa2e83d376c5d07077ea09176b317d197

SHA256
9d558ef1b612918ecf8fa8b2dfde58420d0b7713a2279e0fb6b25d0940b2ee33

SHA512
5207a493924f8076f0e288410d431fb610e2aa1599c95dfbc018561eaff9a0bc7f2e1805d18008a0656fb749a530adc128eae6d19c7b1953feabb265fbf3ad65

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
80KB

MD5
7e001b73832762bb559a4fa856fbb478

SHA1
99b04cbc7321797e4a2d3a771c168fc3b637ea41

SHA256
82169e9490c1e9da105e5870d18c6e3a765a68eb10ab36a5a31d9a9b22256fd0

SHA512
4d56405007e8e486f038d79e69cf1444c87246ca21f581807eab0ed45a9556c147f28471f5a31362a3e166f8cb69844d89a8a77b3ea560a40106bb51d29bdf97

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
80KB

MD5
da354e3e1c141c0052ebdfdfade3e3ac

SHA1
c7c51defceb5bbfaaf3c7128869c577c9e7e595f

SHA256
025ba1baa9326f3b5fbe03266c616e0795945ddb45ada6d29b18ee002dc40472

SHA512
de151cfdb6ee60a2c28d9e6b31b0a0dcd8b98d42f28bb07e947589394c0ca98b877e09f54940f7ef1cd7fbe27a3b74390d219ac18db1913e8a7a71b55af64182

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
80KB

MD5
7495a38baf7ae45257359d70cb44ecd8

SHA1
404da2dc276f29750a0358d346b6d0ee5fccf250

SHA256
26ee4573ef2956a5d13b4a93caa2b7f8acac5a7a96f567269f5fc367f832c308

SHA512
776acb4c2dadfd19fcb575ea25432449b2f56f84dfb11153b8656d8bdda275ef1e6c3d57e76a0a3e8be7c5f3823f3dab828892099a169ef8efd9a76ffeb4c239

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
80KB

MD5
26b0185c03376d0c15e0564ae2c34ee5

SHA1
59035f1abef18b433d9047eebbaedbf285a83c25

SHA256
19fad25e23a127cfc679b89c5e7f739a5b99099a3371cad802524080ae851d13

SHA512
6015675ed2c32cd1390c5e44da3e370418d7977fd3183dd81850522e7ecea72147eebef44c25a9210124907817a64f7d0b4f5912afcfc59bbee80768e6e23b1a

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
80KB

MD5
77402406152a52aedb5d31f183710d82

SHA1
1a396f61e405d2a3103aabc97347b484eb54d40b

SHA256
6dbcf3d4a34aa1a3f04267a83cf1650fbc3130c19d34aa8c23678a9ed46aa78b

SHA512
52293b27e9f0c076f01a629e441dfb9de3e779f28496308663e367de4d657e4b9dbb28502dd52a5dec6c6cfeec9da9a03bedd3fb6c7f44b804525ef93a9647a4

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
80KB

MD5
9c112ad5d1ac35c89ecb1c7b35b5660c

SHA1
588e038ea3477e5a775843b38e786cbacbb73e23

SHA256
0ae6c6cffebf35279228f3e8730db4036d3264f484646cc30eafdf73f4828156

SHA512
ff116b3b013492fbe3f7f52615ed48f0320cea343e3caa7d7a6b37331612e2f8a3a0d0585d868d70e1e2ebe409283694813f442ca48f7a87f5cdc512bd0e7566

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
80KB

MD5
e2fe9f03a58fb90e114f6aaa946e4545

SHA1
b78d31b822628c4c825132d2f13a9068db48e29a

SHA256
eff198fc9d8b397ddbb15dddfb23ba02466d8ec33af324a7ae91c5bd33201f04

SHA512
9e81b75272acd21abeb18211b1483c7f173aafa03b531817354b0fc9765945bb032a0ce4ed6fba9e655fedf54f93bce81fc5edaa32ccb1cd654ef43f52b53de1

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
80KB

MD5
829e61b4aac37fc348be819309a853d8

SHA1
dd41929ee1909a3b59a8ed9fdba2e6fca262e024

SHA256
002aa1a374777eeade46a1e70d87d68f9d5e392c798125bfdaf1a9911f2d9b4c

SHA512
119c29c7bf7fb5dc8691c211521e642e906c323dbd5e93baefe5f6757be8c208d908fd92156fdd68a6779a4b4097c8731c799936d8a4bcac967b2b27dea4ea2f

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
011e3261fa49f61f92223d06a1399f29

SHA1
e57a32d6bc56fe43bfd7e72ddd6eea6a07729751

SHA256
b2c2d86ee6670a9d483844ac69475950d7545bc7ddcfabaa00dee8504e3a2191

SHA512
69fa2b19af52e099bcc90a5f7b2b737c7810a4930999597c6d365cbfc662b840d8585553fd7699103d835a99a5c9b3b3535a9e1946bd99375690b6351605e38f

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
80KB

MD5
2fa7ae4521aa1196ae8fdaa6b13bd78e

SHA1
3e66d6031283d3519b6c1791f058f699c1424e4c

SHA256
faac6cd03a41f1ebb7f1113f1da55959a9d521afd51224b83c8d86b79e5b26dd

SHA512
920a7f87044e220553c4d2e303a155c771c7ab7e5a93f23c1db86dba241af4e24429a1f3ceb371063a2c931002693157195cb410f7fc5d2098f22ed2e13be34c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
80KB

MD5
70ea9f06d3d2b6eb31e74c727efaef50

SHA1
fdf3053b645240b3de53334e14b2b2fc4cd7e11f

SHA256
a9aa6c94695b4dd6d276b9c8b0279f1099274c3325fa684d6faaa9fcf68c72cb

SHA512
e70593fbffda76430163d5101583817bac512c98cfe67d9089be97860a3b112add1423a5e24a26538b353ef15262f2702c9828cdd462295e854d27283fc7d82d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
6a1ceadef71e63f5d29e2ec004fbc3a6

SHA1
1012f2b72de89717007199f3aa9b87be294c4569

SHA256
0079c0eb23244f4a19909ec1c5628674124690a206182e0795515a62c3a9cff6

SHA512
b5c95c4a2aed250f2ccbe23c22f8169e0da3af5588454a0a1e3970d0330f7b41980c4f1f636a117922cd0a03cc46de7f9f23f107ff59a29a5ebb0757213a71e6

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
80KB

MD5
cbe541261d21d92ab69cafda910e2024

SHA1
fbd28a5c4ba8fe58104f3ea0c61bff63bf882ebd

SHA256
5dac159c4778337beea975836ce9ecf355c9ac1141063524823b7a27159ccccc

SHA512
cfd1c0f99834e66dfe426044cbe84d398b76c03292fbe70a34dc78aeaac20fe2ce2e3211bd993e13129850c6cde3c97d082da4d3432e61d61aab5a57a3570281

Download Submit
memory/696-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/836-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1872-598-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3252-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3468-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-571-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-591-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads