2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be

Analysis

max time kernel
138s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe
Size

419KB
MD5

0d8b8ee98c9df06b472e7cbd22071b40
SHA1

f36697644bbd4662f5962da3475c7c2cb2e6d0c0
SHA256

2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be
SHA512

e9d1ad2ef4c6f6b4f77e18924f94d5dc9ac0bea11b5c9601c1b77511b017725a827b9a3551cea51d5c092720083e213b869bdc77f3ee19c1f0700a569b317d4b
SSDEEP

6144:FP2QNkSDe9VByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R1L/gBSfGmtE1se:sSQByvNv54B9f01ZmHByvNv5fJPGs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgfoan32.exe

Executes dropped EXE 64 IoCs

pid	Process
3132	Ffekegon.exe
5068	Ficgacna.exe
1508	Fcikolnh.exe
792	Fbllkh32.exe
2488	Fjcclf32.exe
1424	Ffjdqg32.exe
2556	Fihqmb32.exe
4384	Fflaff32.exe
2140	Fmficqpc.exe
1256	Gjjjle32.exe
400	Gogbdl32.exe
4644	Gbenqg32.exe
1516	Gmkbnp32.exe
4372	Gbgkfg32.exe
2012	Gjocgdkg.exe
704	Gpklpkio.exe
3496	Gmoliohh.exe
1100	Gqkhjn32.exe
1208	Gmaioo32.exe
3136	Hboagf32.exe
544	Hihicplj.exe
2400	Hcnnaikp.exe
3988	Hjhfnccl.exe
2440	Habnjm32.exe
4596	Hcqjfh32.exe
3076	Himcoo32.exe
3476	Hpgkkioa.exe
4088	Hjmoibog.exe
2312	Hmklen32.exe
3380	Hjolnb32.exe
5052	Icgqggce.exe
1632	Iakaql32.exe
2896	Ifhiib32.exe
1536	Ibojncfj.exe
4976	Ijfboafl.exe
4484	Iikopmkd.exe
4968	Idacmfkj.exe
4960	Jbfpobpb.exe
2516	Jjmhppqd.exe
3972	Jagqlj32.exe
3960	Jbhmdbnp.exe
4576	Jibeql32.exe
1140	Jplmmfmi.exe
3420	Jbkjjblm.exe
2708	Jjbako32.exe
1900	Jidbflcj.exe
2724	Jpojcf32.exe
1772	Jdjfcecp.exe
3872	Jkdnpo32.exe
3468	Jangmibi.exe
4756	Jfkoeppq.exe
1060	Jiikak32.exe
2132	Kmegbjgn.exe
3968	Kdopod32.exe
824	Kgmlkp32.exe
1336	Kkihknfg.exe
320	Kacphh32.exe
4572	Kgphpo32.exe
2912	Kmjqmi32.exe
1756	Kgbefoji.exe
656	Kknafn32.exe
4828	Kagichjo.exe
5048	Kdffocib.exe
4852	Kgdbkohf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Milgab32.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5864	5684	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3132	4400	2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe	82
PID 4400 wrote to memory of 3132	4400	2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe	82
PID 4400 wrote to memory of 3132	4400	2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe	82
PID 3132 wrote to memory of 5068	3132	Ffekegon.exe	83
PID 3132 wrote to memory of 5068	3132	Ffekegon.exe	83
PID 3132 wrote to memory of 5068	3132	Ffekegon.exe	83
PID 5068 wrote to memory of 1508	5068	Ficgacna.exe	84
PID 5068 wrote to memory of 1508	5068	Ficgacna.exe	84
PID 5068 wrote to memory of 1508	5068	Ficgacna.exe	84
PID 1508 wrote to memory of 792	1508	Fcikolnh.exe	85
PID 1508 wrote to memory of 792	1508	Fcikolnh.exe	85
PID 1508 wrote to memory of 792	1508	Fcikolnh.exe	85
PID 792 wrote to memory of 2488	792	Fbllkh32.exe	86
PID 792 wrote to memory of 2488	792	Fbllkh32.exe	86
PID 792 wrote to memory of 2488	792	Fbllkh32.exe	86
PID 2488 wrote to memory of 1424	2488	Fjcclf32.exe	87
PID 2488 wrote to memory of 1424	2488	Fjcclf32.exe	87
PID 2488 wrote to memory of 1424	2488	Fjcclf32.exe	87
PID 1424 wrote to memory of 2556	1424	Ffjdqg32.exe	88
PID 1424 wrote to memory of 2556	1424	Ffjdqg32.exe	88
PID 1424 wrote to memory of 2556	1424	Ffjdqg32.exe	88
PID 2556 wrote to memory of 4384	2556	Fihqmb32.exe	90
PID 2556 wrote to memory of 4384	2556	Fihqmb32.exe	90
PID 2556 wrote to memory of 4384	2556	Fihqmb32.exe	90
PID 4384 wrote to memory of 2140	4384	Fflaff32.exe	91
PID 4384 wrote to memory of 2140	4384	Fflaff32.exe	91
PID 4384 wrote to memory of 2140	4384	Fflaff32.exe	91
PID 2140 wrote to memory of 1256	2140	Fmficqpc.exe	92
PID 2140 wrote to memory of 1256	2140	Fmficqpc.exe	92
PID 2140 wrote to memory of 1256	2140	Fmficqpc.exe	92
PID 1256 wrote to memory of 400	1256	Gjjjle32.exe	94
PID 1256 wrote to memory of 400	1256	Gjjjle32.exe	94
PID 1256 wrote to memory of 400	1256	Gjjjle32.exe	94
PID 400 wrote to memory of 4644	400	Gogbdl32.exe	95
PID 400 wrote to memory of 4644	400	Gogbdl32.exe	95
PID 400 wrote to memory of 4644	400	Gogbdl32.exe	95
PID 4644 wrote to memory of 1516	4644	Gbenqg32.exe	96
PID 4644 wrote to memory of 1516	4644	Gbenqg32.exe	96
PID 4644 wrote to memory of 1516	4644	Gbenqg32.exe	96
PID 1516 wrote to memory of 4372	1516	Gmkbnp32.exe	97
PID 1516 wrote to memory of 4372	1516	Gmkbnp32.exe	97
PID 1516 wrote to memory of 4372	1516	Gmkbnp32.exe	97
PID 4372 wrote to memory of 2012	4372	Gbgkfg32.exe	99
PID 4372 wrote to memory of 2012	4372	Gbgkfg32.exe	99
PID 4372 wrote to memory of 2012	4372	Gbgkfg32.exe	99
PID 2012 wrote to memory of 704	2012	Gjocgdkg.exe	100
PID 2012 wrote to memory of 704	2012	Gjocgdkg.exe	100
PID 2012 wrote to memory of 704	2012	Gjocgdkg.exe	100
PID 704 wrote to memory of 3496	704	Gpklpkio.exe	101
PID 704 wrote to memory of 3496	704	Gpklpkio.exe	101
PID 704 wrote to memory of 3496	704	Gpklpkio.exe	101
PID 3496 wrote to memory of 1100	3496	Gmoliohh.exe	102
PID 3496 wrote to memory of 1100	3496	Gmoliohh.exe	102
PID 3496 wrote to memory of 1100	3496	Gmoliohh.exe	102
PID 1100 wrote to memory of 1208	1100	Gqkhjn32.exe	103
PID 1100 wrote to memory of 1208	1100	Gqkhjn32.exe	103
PID 1100 wrote to memory of 1208	1100	Gqkhjn32.exe	103
PID 1208 wrote to memory of 3136	1208	Gmaioo32.exe	104
PID 1208 wrote to memory of 3136	1208	Gmaioo32.exe	104
PID 1208 wrote to memory of 3136	1208	Gmaioo32.exe	104
PID 3136 wrote to memory of 544	3136	Hboagf32.exe	105
PID 3136 wrote to memory of 544	3136	Hboagf32.exe	105
PID 3136 wrote to memory of 544	3136	Hboagf32.exe	105
PID 544 wrote to memory of 2400	544	Hihicplj.exe	106

C:\Users\Admin\AppData\Local\Temp\2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ddebb73d477ee341e4db345e726d685d07241e5d4c1b47e335f771967da73be_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\Ffekegon.exe
  C:\Windows\system32\Ffekegon.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\Ficgacna.exe
    C:\Windows\system32\Ficgacna.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\Fcikolnh.exe
      C:\Windows\system32\Fcikolnh.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
      - C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        40⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        43⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        47⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        48⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        50⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        58⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        59⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2428
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        67⤵
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        72⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3908
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        74⤵
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1924
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        78⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4712
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        81⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1812
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        86⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        88⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        91⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        92⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        93⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        95⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        96⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        106⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        107⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        108⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        109⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        111⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        115⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        116⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 412
        117⤵
        Program crash
        
        PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5684 -ip 5684
1⤵
PID:5816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
419KB

MD5
c840d7555c527cb77b65f224926e9cbf

SHA1
444ea4c18afa64ef373e5bc3f5ae61695d02238b

SHA256
2401d348dab5717a2e1a5beb16610ca2505f52557301b1a2bcc09972664fae3b

SHA512
f3195e8ac40f824786445c39fd8b97aa22621e44ad62731413279c8b4792cc8973a9ea7ccd4e61c8e525ded33ea3dd8d553f0b72d0527d4713b1b438267a0963

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
419KB

MD5
26da00377d951b3a8ea5e87ecb95f5df

SHA1
13891c3adf927b99eb299ab01d363d0c20248e8c

SHA256
dd156a4c000b5253a3e5e7d4db66f684eb4eef56f680e7bc32c71d36dbe965bc

SHA512
81fdbb6f32ec822f5b2a6e0159b6238c92d903a0e2f956be9f4a475dbfc26c185bc2df4c93f87d2faaa2c7d44f62dd1e8a2fef2667fbd44f0eaf1c53285df4f4

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
419KB

MD5
15efbea018eba383420663144b1f7ff7

SHA1
d5732a450a8ef95a47ebae890c65dac6b68cf2a0

SHA256
d7f00032c8380c2d96dc026c75376781b92069f038823aeccbb97c5c13eb9e82

SHA512
d9cbef0bf2add2da11891448f0ba3976712c930d73cdd1c0b53c38d9f1b01b81a0135240b92c746c57ecb9da40a6b999bb98a60ab90718bfaf682e4972ec0901

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
419KB

MD5
b0e3f1e1c956d84b6c79919e48d0d46a

SHA1
451bfc74d9a7db1391707c5826077a1372e11dfd

SHA256
0de4c704133324a76649b2ddd013b0f0cb1468d8b071bcae8653dab9205ad14d

SHA512
393f801aa6749d11d4152218fe24b145e66b5b20fcae258b741b41ffc209b29c3f7faf673dec7aa07b427f536645296d8d1604680e4f397f920a5d945740ba19

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
419KB

MD5
c4cfe5e99c83e554ebe56b935f1586a8

SHA1
080605b8ca81cad37ef73b57e160b80ede5ee3cf

SHA256
93728b774f29cddade090bd746885acebed143ab8c287022cb8f4a86f0438f7c

SHA512
d1704eca294ed51f694a233de1e3f7cc793fb177f98f2df37033c8702e7974d6905b2a1c6c0e04767db97e83110895937f88102e181b22f316bbdc7099b73159

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
419KB

MD5
46897ec76c226bf5906fdfbf2b2a88d2

SHA1
66652d54107bc943c3080f64d6fbdb790f467a4b

SHA256
4a22d047da0bae163d427505d7ea70174a9035999e94561b5afcf002c8db2b6c

SHA512
8a3e9a7fa099d3a1f68f77a91a261138805b58de6cefc80988016a17ae5c83aa65b5a9a3c86d761650cb01201f843f190080e28f3b3c8e5559b0ff7f97138e92

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
419KB

MD5
be7e97451cbd4525d7d838455431fb53

SHA1
c2b8ef6fe08ee5293c65ded394a970a6a0440dff

SHA256
2dadf08fe7d3d75fd1943f4ec9ae22f2c2d722ee4b50e3443dfaf690f4f1a3c8

SHA512
33915ecacc4df1ddb6829e186fe8b94a7b6968012d15032332c2da11f3ae9212f6d4f57c6f10cce07b0359d7c7933c4633d2ab8b727f648154a35b52e47c9aa4

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
419KB

MD5
9b54a2f223efb5f60c4a060a3444315e

SHA1
adf5def73b2dfd7c0935cafe2354804fce44b36f

SHA256
044d6bd95b2af4b420e597f8b28e83faea7b125ac96ae7738d5a5aa47bef0092

SHA512
6e3058b2d5ad9e02a89ed39713d842b4697dcb85fbe0e10de0afd675b85340fcad12c0b232fc8b01f88007739ecb84b9c1ebb9d2e6d367efa14246f141e51a69

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
419KB

MD5
2abbf69a336ace67a185444c10cfe669

SHA1
41100595cdd376aa9e4bc2cd6693adb160da823e

SHA256
9639ba4a4cd1021ab244ac270b78d8da66100562ec81be96578c73b30a949fa5

SHA512
8eb07862eb3fc435058fa1f0ef15ea971ba347fa69a1b22d0ec2f9a3a69534cb54784780fe58a9fe1682844474a4a88978e454942371b377673fce54813db0b0

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
419KB

MD5
ce952642faed1490cef2725ca55fb7c0

SHA1
98113849ed919b2e7703d1e6a78c501bb2e6982e

SHA256
0876981285378430c13f95984ae1be9ff0ee4d29fa724e75b730228cb0d2aac3

SHA512
561da2c6ad4041d7515a2c75aea84d45fe360cb71b65f3a3cea2384758ea3d37306a1297cf86a1e0e3098a8b37240cc03df20d2cefc798503d6af4070649dd27

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
419KB

MD5
2f07a5f4cb5efcc3c8e8dbc79189d957

SHA1
f932a7d083de559057e555dae5abafd79b38b4ae

SHA256
d7bdc66866f307a0a24b00c5148bd022698d7852c05435dbc388ed90c532f996

SHA512
1000e2bee58f902cf37f032192014aba4d7ca450d4b25029eae44ca9efb1933ab405a5c5df72003368316d0f16cc0ebac19bbb622c38e1d1f0e09e1794148866

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
419KB

MD5
bddbf26d30f09f50f4f6d11d7e84e5f8

SHA1
8d739486ade5e5c2646ec33b8395ec36848fc178

SHA256
ea7f55b2f481a4a9f45577cc90d3770ed2898249ed993d64678374c5593b0945

SHA512
a118a93f1e4da97b959aeb46eb1231eb22535eebd48b2b90561b8e6b1569d695eb28462a46974866900f32710331c823eaf1691a4789dfceb656ac88e0011147

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
419KB

MD5
a29df819b1fbec290e3f567a8bfdbc3f

SHA1
003a4bfef8c952cb2bac7b8f7ae82a8868d0841e

SHA256
b79552cb7866fb9ca59102daa108d6cb3c780a14df573865935e5c65fbee9428

SHA512
6d068e30da0435d5dc2a6f81438b3c281ac6d5d2eaf677e26826e1f684639838480312758f6bfb86bcd5e18a2cbfdd18eeec943aadb74d3b302f99b427f32dd3

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
419KB

MD5
8d8c4f0997a2f4fe84687a78ac49ae8c

SHA1
d678ffdec2836d4b2f9ada2bfb632d9a9d09b0ec

SHA256
d784efea90b97bbff4af34d7acb2c702557a0b2aff15c90bb7bc7ca889bdda46

SHA512
35273e6dcedb1e46fcf4b24b5fd98fe62735985d6624d589ef12ed564468c69c3ac930c1a60be1afcd555b224d90d4a8562c7bc53db08536938db2a0d9bd7d0d

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
419KB

MD5
877381779a2fd291c24d253e070135bb

SHA1
b46714e3096b8ef39c02891723579aabe0af2486

SHA256
f57833e65a4fc1490b2132131ccfb4638129d8f8d6f48be87457403b3d2d006d

SHA512
5559f2896eb365f71605081069e4115b2e368d3a26d94c74b811c340b428e296a9083ecc926dae4560c4a8ecd23363fe6a7a5c5273e03006ff8af0ecb908fe9a

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
419KB

MD5
9e93ebe506455681bfce98084a92a18c

SHA1
4c92a761c751bdb1fd54fe4f96bc87bc8ada8fdd

SHA256
272674e28f50edad4054d5be893aab7c965bbb6b03d382d2d4699115154ac700

SHA512
8654cea7db523b9c406b4405f8f116eb98a976ccd497a66170f8757eaa3089effa4eaa875361bb216e6a238ea6d469200f7bd790629ec999c54093a67321ea66

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
419KB

MD5
402bce61607433e38e963e201022f554

SHA1
47535b5c4b8dc474ba7cbd9f1f8c30a099d2d456

SHA256
d15d0315090b8f3e369f11aaba904fd4246e5075bb8ebff0366ff0b5e08075a6

SHA512
c6291b534a499485b43930cdc7864c214e7c54a87265809899a6397752c4342ca0c518b7e862a905d0447c6ab2962f42ed3bf363d329019ed77dabe68ce0016d

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
419KB

MD5
a43a66e165c90229a812c55e52b01aa0

SHA1
b25a538d66f3d6697e6608b52c126183fa082254

SHA256
e19f042e51b6085334da4f7f8b8905661e0f4fadb17540d4bc187bbd864217a5

SHA512
79170b4dd39d48b37414a491d7f46da9544e8ec8ac22fdbf886a5515e467727ccf103de2df5d4ac06d00685207c73e003fd96452de3986b5eb3c4ee38dee3981

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
419KB

MD5
2cf0931f3e2dcf07e97bdb8f5f302f8f

SHA1
8e1321fb51e5c9462f31aec243adc1c5c88f1f86

SHA256
fa32046875c5663280f7390f52c3521eadb46a6c719001bb7f730a27b19cd705

SHA512
0a7f3762cfe9ca42b217ba495f386d5f06bb4000eb786a8e14221f638adac8526f9266c06c5d8e171f63857b44bcbdca4952de1b3d9423d85da049245e2914d1

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
419KB

MD5
1e6d449ecda5728995c7f6fbcb3b635a

SHA1
ff16f96c35ab3c0f13861c1fa16a9a399b2eb9ea

SHA256
8837fa9826cb6138a35b08f75ca5c8425379e3eace618b96859097bd0c1bc494

SHA512
47c9cc120b5f50a471404eb5557dcd2af3c4cef9b8d4734622cd5b2007b38a013c48b0fd55c0bdd4b0f3dc2c055158b6f28ea5e821ec79ae679663cc090b1113

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
419KB

MD5
7cc0fe79e28ecc4e3b8153fefd5f6654

SHA1
ac08ef37780ed3c3e2243831453c43a0b3316114

SHA256
54743ef2b8ff05f491636f8ab273b82cd446d1314e24d0191436e4a5c68b3c0e

SHA512
9bef40da28f049f932475432f752abd478afa69c2dae51c860e5ee3829f5d0b190873af6ac811b7d4b1ee583ff7da9336dd5d1e40922b5eadafb176c1d464e88

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
419KB

MD5
7230d7541de70af55135bd6bf51e7ba8

SHA1
e453d39688d2f65839e05d2348fcb98d150584cd

SHA256
04710eb3bae998846b3a7a20a326eba803d769535b8cb49a32edba88e93336a0

SHA512
9182b7256286d6617ecd7aedbfe26a79b0a5bc0b430e4140270eb5c0a754ec753277e67823d55443d62764b5ea0fe3fbf82de8dfef38d46880975b7d9916fe64

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
419KB

MD5
03366350243fbf360a6cd93cc77e1971

SHA1
e6190fa9f2f15953e70555346ec8c5a43be8bfa3

SHA256
ee31a4b9e71c9477d90f46c35b4da003c6a4f3147baf9ed4524a8a809061d0a8

SHA512
827234466de3b40690ac60f044c5aa7d182aea0e577be1d3d762c14b49bf771437892b6582100b8be5461d45275e69d3c5497320300b11f77e548b3e27000aa4

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
419KB

MD5
696fc515f0085be746c0eac29185b2ca

SHA1
2a50d9746e11a7f25ad0ec3f120e1d1ed13c6036

SHA256
8d2cc96c12cd856306e7621f2f09afb411b6e0bda7fda9fd926c0dd69b3f8776

SHA512
40947bdf70c109179d9130ad1971f46f1c3b6887844b2dfa953350e093f83f5b2c8b519c3ec743a7da934aa8195f96fbf2164765f8a61cfc06898135b8e6dcf6

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
419KB

MD5
5768a041c7dd8450e9044bc4a6e0b92b

SHA1
46061fee44473916ebc0dbbe1ca61a182b5f23b0

SHA256
03b25fbe7fce55e8b45343fa130b25f505b6d1a8f7edcdd3f50c23bca14402d8

SHA512
2d82e842be452730cd21482abacfbb4063b0fe823cf151e4a2e5628b792d9f7e376d1dce67388707fa018b070065e294ea98b7b2dc1f27b3ed9a2b3e7a5367ae

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
419KB

MD5
663c766ceda5270d9eaacc3e47fea168

SHA1
f2d19d4fe66a885c16102333f648bea1a8c85a8c

SHA256
12c47350d4f8e4e2caf3a2d776843b8c2229e210e5d2487bae99bff46cf822db

SHA512
fac90a28cadddac7d0032445f333c678d1b06ef0b743232f810fdde53ab9e3b42848f48825a9ae790ec2da2a189fcff61a4a1ab70099e319159e9024edd32fbd

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
419KB

MD5
44a96922eba820a48723d2dc6cd9bf4a

SHA1
ad3a34e8c230e1d19f29a20b7138d2647ee99c94

SHA256
8ae91129d05d32d882360cf6da8ad0985986b64afe2d87f7d093d1c97572dbee

SHA512
4cee26aab1f8939c163b44fe055042148f644ea7b34a0f6bf8cd2652007ecb8d14d902a920ae089ccd29311033a325827b2bab97b6e3edba6c859edf40c91fa8

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
419KB

MD5
86b97c8ad2791c7e4dff5c8b231fdc69

SHA1
fd5a4f3017a863ce4907527fc39dbabd6299b02a

SHA256
47c988cf50f73c3a2a12397b85a80b0572cb8c3f5ab2208816a64dbc10e142ce

SHA512
549f9bff26b7115515f3f03af4e8a9fbaef0fbb059366b5b76ba044f2868b460bc98d6b0a29cbc59c49c2b1c14f4f9a6622cc461268afd69a79c082e126664d7

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
419KB

MD5
50bc546c61739cf49f93e093081112c9

SHA1
66d10aec6f7208c55d2123e14dc55adea61ec81c

SHA256
c5907fc764efd755d1f116acff2b5732a7e5ed3e43d53193af0dbd995f4e9f89

SHA512
116d701e50aec977a4a9c8f7935c34efb57ac1af90ecdcce03b59bcce2b58c349992a0826dd724f72d0d61fe80f59082559f01880d8ca0530bc833c8e8f7c975

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
419KB

MD5
24f5c8052ae5aeb724902d56a165d944

SHA1
d904202bf5d7cdfb38e6ed963aa30164e7d0b506

SHA256
2963aadc80596db2c97a2310cfd442570c1cf8ef1fc250ad4318498e990f1cdc

SHA512
e2332026a59eb8a37a337262add294ed3f7bccb63467a35daa25b6809af1241a8965beae546dfa18afb1696b734bef29338e4a4935e65d64be2b32639a3be305

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
419KB

MD5
3839bf426dc693deec5ba4de44d12b8c

SHA1
2b63104eadb56442cb9fd7b344e52523f7288e2b

SHA256
8f4eeaf532b627b4b653bbfcdc2b3dc4fa50bb1d83078ef69e3a892376252977

SHA512
735814cbf0074913e30fe3053869a86160180ce3b783d91f92b01c2317d5f8f9a12f1774e46470ca8c338b6314a61f7a00fd90db4013bd37ccdc028832cd588e

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
419KB

MD5
eb67780d0e45d4a2a4f0d19b2098accf

SHA1
914101361dcc929ac7fcd0c7919547199d98b4f8

SHA256
a57e179ed050655b2e30b5d3d5c2add4075b5df9408e6967c030e096848c28ad

SHA512
99a1a6d231567f12a7f4d295e18d3778e51774e006b5d3384a4edb8c5a0cf4d30e9dcc13933a5a606f1242b555f1bf1833323654dacd34c80728a15370270e42

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
419KB

MD5
6497f119eb836f50f61191ab3ae3c7b4

SHA1
d6be2ed6d142c243bcd41d2ca24cff32bcdbddf3

SHA256
c78d7db3a1da22b3e7aa7f8997fcf4f96e710c75a11a24d0a936a43e0ec912f2

SHA512
f0ef7d3b16c1d316f42d592a5945dae66d21c1544d0b1fb282300c07da2931dc38bf957b2716598847bc8aa9634569378254d1d284fc294f5c3722ac9acac52a

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
419KB

MD5
a48ffb464c5855e242d45264f0ef3e2c

SHA1
03685640efb3d8a1dbb1c2d2c14a2b8b2e72cf66

SHA256
688f9312386f6919949d505a5951783476dde8455b9f9302cab674c05a0e3d38

SHA512
2468fd56bf4c6cc176f4cb053162939b1359b7268da9101faaeb6be043448ba314ce36fda083f53e341b41f5e3c739f0c0ac5faaececb551ce834798fa86cb9c

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
419KB

MD5
edfe617b3655189d1e87fb2079a5ed7a

SHA1
4e6bb72a15d2e2f54e0b35405f29bd4d433dd337

SHA256
36ed93871f501d608e4bd0b6327985e1d3b2b7c7229937b8bae84b996ada92b4

SHA512
f864ced82e9b9cc005ac27c880d9d907fe1579e944ca47ea2677408cd7ff43ea5517d51ed0b5ba0b1e2b9f53036a359a9f055323a30f6df3b1db29c1a2c75913

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
128KB

MD5
dd490142cbdde2a61f51d0a120c3eff2

SHA1
568609ad7c2762a470f7dc5d9d2fd9f79b7e9d6e

SHA256
1b5a0059562cd6d5c7b1bbb2d74d4c1fafb3013d3b34547bb70c6f7dadc6bb5a

SHA512
79d0cbe03b8e93d04c872fcfeaa857674f30485e33326b278967a4f157ef3e36c0bdb24265b2a651d6df481f84ba7f32bf626fa0af290532964c2520daba9fc4

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
419KB

MD5
c643ab296f030d4dbf3e4b2b68d8170c

SHA1
809ac8f8024ccbf5d6b2c1fe2489046474246571

SHA256
e53dc59b84ab995f9fd0a1bc517ac2c08fcb52d5158fb812bfe0a06cf99c5109

SHA512
ac3e6f404055ae3e8287f43bcb2b4ca05b5f48a47499eeec747fd9a622e39ada854b86492a854c0d0a1485ef07028105c43656b6f7779243119e5f7ab9be21f6

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
419KB

MD5
d69b78f616c6b0e98c46faf34bb35502

SHA1
ff73f1ee22d4a56ca0d9325f23b95e85a97c9835

SHA256
5d308bd902f9c9e183141a13c0a340624f8ac2c394e0f1f7dbf294652077c860

SHA512
017509c41c8bce297e5b5d1fc959a2652e16bd8c9de3e2736e3f27351e101f667fa3b7239f803f65a61655d041a970a66326905d38a961c5dfb5a5f57eb13384

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
64KB

MD5
37c6a104f50fedf73e3e4687d17cb97c

SHA1
cf2cdfe1296941ad021160b2b1ceab7ef7c07db7

SHA256
e9a3fc59b66a829b66ada02c96e26cc00f53ee9d191a191a5e1ffaaddd79525d

SHA512
67e5015fd6259b36b9168949ebd2d13ee48de4823d615a9300d22b6fae9c8007e701e2c83a6b2165b0331a87b3f08bec3a6f85ff9199d7e4ba9e49dc3496c4ab

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
419KB

MD5
e2d3fefad8ea25f4ba57865d615f09ea

SHA1
fb7e0be1e32d86405195d537e0d084a1fbde4c41

SHA256
cebc0d94c8c0a813c760bb7ef1b5856ee8b0b143312357da13720e9db4dca802

SHA512
cae6a815b8a39ab26af354a70c7c00cf9decbb33648b9f578f96e22fadb756045e45e46ccfb962c55e493d3f4bd5fc310d54edd452301ebeeabc9d23135be02e

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
419KB

MD5
3cf39cc4cf4212a17e9d20f155e4ceed

SHA1
35bd1c35b94bb3f303c1f7d65fc2e14aa1d18151

SHA256
01514570eeea1990d6095ca79060b559db4bcffddd8dfc959f2b83219c6bca54

SHA512
c3f75294548ea509b9a5877bbfcb97695b3a5bb7635f08f21b2789f2a47f7e76e07559e8b6d1ef555739404d31dd56247ec5a081ddbc0465dcc6c1280941951c

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
419KB

MD5
6342da22f88e0986a1670a541e7f48d9

SHA1
29276ba4177ea688d84a619fe9856a4f01a0fd0d

SHA256
9ca5a788bfcde25d3e324e3f68d2090169a8a636be436ab28cf27f12ac72bf60

SHA512
0425d2ab86a24477ca3fef98d2cbfbf2feac6881ebe38975f8fffca9034419b6935c0a7d821eb90a3304f6c7791651821adfd47a606120e51a3accdd2d7f5571

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
419KB

MD5
f2d8f5db5a08612aa742765d6feab352

SHA1
a1dd5ce810cc5615c211edc6ddbdf62af059d9fc

SHA256
81700d7cb0c5760e2fe43cedd1ea1f18b1c7cbe35a04b11142d1faa62b171850

SHA512
3afe36810c55c225ee3a5dd1c09c83ab4f24508597ccda102401be62b5bee8aa7e1c0d99786b71c999b6f03f2e7480181669ec9ceed974900f920d8d02ec55e3

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
419KB

MD5
8f13a6f69d105cc32f3663bd22b62759

SHA1
709924ce09bcfeb21ff3e7147a2579b875452a3d

SHA256
ed2cf2ec2af2ad6512c22a26814368015d8bc7570dc56d7de6c099342342936b

SHA512
573ebfd97ddc437665e04b5c8ba847c73ffb1075e7e7ccfb8c0e05ea95c2936d584eee0224c751a68115d93905e3a94c6faf3b750a6b1c23f3da6ab55f14a5cc

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
419KB

MD5
f888149230ed795952de5a22f04f519d

SHA1
9854a9cf4d4b4fe42d8c00a336584af3f8b233dd

SHA256
3f0993db9e2137b57c9482f24dff8eebe39109fd013c594b1dde2ee96aaf6e72

SHA512
8f9fc9128a916f0af610a9369a937ad866dd0a4fa77997f6caedc597a0c53889aeefa606171ab2c9252ce03c61a03750819ec04cc247e5e7cf5257550bd32e5f

Download Submit
C:\Windows\SysWOW64\Qfiapa32.dll

Filesize
7KB

MD5
010d49c97bc054ba1e85ce9db726d33f

SHA1
ba69feb7b11b983f18f752c795f88e7cce474931

SHA256
f16e9a48342b3a8302e29a89e803f902bb10ccc28739d588ae6ce7273724a948

SHA512
9354894ac6f7c09c303692aa2f4f1b82e22b421b8eb17cae1e8e620d311fd932319c131c5e9d3a644014f8ff5a741dbca04d2fefa97249dbec95985884e9ad18

Download Submit
memory/320-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-859-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-606-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-889-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5392-823-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads