45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe
Size

55KB
MD5

124abed356789a71e5d434456e003300
SHA1

ba23dd687b5f66fec7ad28269c328f4aa64d742e
SHA256

45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94
SHA512

fe94392b1e0c601fafa1da3a618f061795e660074646d99683f1553b3c98ad7b371a0bcc0e712c1fbb73b2d30ac6d05139d606ae7dd2cf2636fb48bbd1f9d6d9
SSDEEP

1536:w0lERZPqwMebf33UWZ25TcN92icNSoNSd0A3shxD6:TlEL9PPORC2icNXNW0A8hh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe

Executes dropped EXE 64 IoCs

pid	Process
636	Gcbnejem.exe
1496	Gjlfbd32.exe
1652	Giofnacd.exe
1940	Gqfooodg.exe
4932	Goiojk32.exe
1964	Gcekkjcj.exe
1968	Gjocgdkg.exe
2488	Gmmocpjk.exe
4332	Gpklpkio.exe
4588	Gfedle32.exe
2120	Gmoliohh.exe
2576	Gpnhekgl.exe
3004	Gbldaffp.exe
2184	Gifmnpnl.exe
3328	Gppekj32.exe
1960	Hfjmgdlf.exe
8	Hihicplj.exe
4524	Hpbaqj32.exe
4372	Hcnnaikp.exe
1188	Hjhfnccl.exe
2292	Hpenfjad.exe
1624	Hmioonpn.exe
4856	Hbeghene.exe
1556	Hippdo32.exe
2196	Hjolnb32.exe
884	Ibjqcd32.exe
1936	Impepm32.exe
4476	Icjmmg32.exe
2692	Ijdeiaio.exe
2556	Ipqnahgf.exe
1428	Ibojncfj.exe
4420	Iiibkn32.exe
3300	Ipckgh32.exe
1920	Ibagcc32.exe
4864	Iikopmkd.exe
3092	Iabgaklg.exe
4220	Ibccic32.exe
348	Ijkljp32.exe
4324	Jaedgjjd.exe
1640	Jbfpobpb.exe
2340	Jjmhppqd.exe
1616	Jmkdlkph.exe
4660	Jdemhe32.exe
1444	Jbhmdbnp.exe
4792	Jmnaakne.exe
3372	Jplmmfmi.exe
1208	Jbkjjblm.exe
4732	Jidbflcj.exe
2260	Jaljgidl.exe
3176	Jbmfoa32.exe
4224	Jigollag.exe
2856	Jangmibi.exe
3036	Jdmcidam.exe
4456	Jbocea32.exe
2492	Jiikak32.exe
3824	Kpccnefa.exe
4832	Kbapjafe.exe
1944	Kilhgk32.exe
2560	Kmgdgjek.exe
2744	Kdaldd32.exe
4684	Kkkdan32.exe
1352	Kmjqmi32.exe
1724	Kphmie32.exe
4088	Kgbefoji.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hihicplj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5224	5140	WerFault.exe	198

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 636	1260	45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe	81
PID 1260 wrote to memory of 636	1260	45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe	81
PID 1260 wrote to memory of 636	1260	45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe	81
PID 636 wrote to memory of 1496	636	Gcbnejem.exe	82
PID 636 wrote to memory of 1496	636	Gcbnejem.exe	82
PID 636 wrote to memory of 1496	636	Gcbnejem.exe	82
PID 1496 wrote to memory of 1652	1496	Gjlfbd32.exe	83
PID 1496 wrote to memory of 1652	1496	Gjlfbd32.exe	83
PID 1496 wrote to memory of 1652	1496	Gjlfbd32.exe	83
PID 1652 wrote to memory of 1940	1652	Giofnacd.exe	84
PID 1652 wrote to memory of 1940	1652	Giofnacd.exe	84
PID 1652 wrote to memory of 1940	1652	Giofnacd.exe	84
PID 1940 wrote to memory of 4932	1940	Gqfooodg.exe	85
PID 1940 wrote to memory of 4932	1940	Gqfooodg.exe	85
PID 1940 wrote to memory of 4932	1940	Gqfooodg.exe	85
PID 4932 wrote to memory of 1964	4932	Goiojk32.exe	86
PID 4932 wrote to memory of 1964	4932	Goiojk32.exe	86
PID 4932 wrote to memory of 1964	4932	Goiojk32.exe	86
PID 1964 wrote to memory of 1968	1964	Gcekkjcj.exe	87
PID 1964 wrote to memory of 1968	1964	Gcekkjcj.exe	87
PID 1964 wrote to memory of 1968	1964	Gcekkjcj.exe	87
PID 1968 wrote to memory of 2488	1968	Gjocgdkg.exe	88
PID 1968 wrote to memory of 2488	1968	Gjocgdkg.exe	88
PID 1968 wrote to memory of 2488	1968	Gjocgdkg.exe	88
PID 2488 wrote to memory of 4332	2488	Gmmocpjk.exe	89
PID 2488 wrote to memory of 4332	2488	Gmmocpjk.exe	89
PID 2488 wrote to memory of 4332	2488	Gmmocpjk.exe	89
PID 4332 wrote to memory of 4588	4332	Gpklpkio.exe	90
PID 4332 wrote to memory of 4588	4332	Gpklpkio.exe	90
PID 4332 wrote to memory of 4588	4332	Gpklpkio.exe	90
PID 4588 wrote to memory of 2120	4588	Gfedle32.exe	91
PID 4588 wrote to memory of 2120	4588	Gfedle32.exe	91
PID 4588 wrote to memory of 2120	4588	Gfedle32.exe	91
PID 2120 wrote to memory of 2576	2120	Gmoliohh.exe	92
PID 2120 wrote to memory of 2576	2120	Gmoliohh.exe	92
PID 2120 wrote to memory of 2576	2120	Gmoliohh.exe	92
PID 2576 wrote to memory of 3004	2576	Gpnhekgl.exe	93
PID 2576 wrote to memory of 3004	2576	Gpnhekgl.exe	93
PID 2576 wrote to memory of 3004	2576	Gpnhekgl.exe	93
PID 3004 wrote to memory of 2184	3004	Gbldaffp.exe	94
PID 3004 wrote to memory of 2184	3004	Gbldaffp.exe	94
PID 3004 wrote to memory of 2184	3004	Gbldaffp.exe	94
PID 2184 wrote to memory of 3328	2184	Gifmnpnl.exe	95
PID 2184 wrote to memory of 3328	2184	Gifmnpnl.exe	95
PID 2184 wrote to memory of 3328	2184	Gifmnpnl.exe	95
PID 3328 wrote to memory of 1960	3328	Gppekj32.exe	96
PID 3328 wrote to memory of 1960	3328	Gppekj32.exe	96
PID 3328 wrote to memory of 1960	3328	Gppekj32.exe	96
PID 1960 wrote to memory of 8	1960	Hfjmgdlf.exe	97
PID 1960 wrote to memory of 8	1960	Hfjmgdlf.exe	97
PID 1960 wrote to memory of 8	1960	Hfjmgdlf.exe	97
PID 8 wrote to memory of 4524	8	Hihicplj.exe	98
PID 8 wrote to memory of 4524	8	Hihicplj.exe	98
PID 8 wrote to memory of 4524	8	Hihicplj.exe	98
PID 4524 wrote to memory of 4372	4524	Hpbaqj32.exe	99
PID 4524 wrote to memory of 4372	4524	Hpbaqj32.exe	99
PID 4524 wrote to memory of 4372	4524	Hpbaqj32.exe	99
PID 4372 wrote to memory of 1188	4372	Hcnnaikp.exe	100
PID 4372 wrote to memory of 1188	4372	Hcnnaikp.exe	100
PID 4372 wrote to memory of 1188	4372	Hcnnaikp.exe	100
PID 1188 wrote to memory of 2292	1188	Hjhfnccl.exe	101
PID 1188 wrote to memory of 2292	1188	Hjhfnccl.exe	101
PID 1188 wrote to memory of 2292	1188	Hjhfnccl.exe	101
PID 2292 wrote to memory of 1624	2292	Hpenfjad.exe	102

C:\Users\Admin\AppData\Local\Temp\45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\Gcbnejem.exe
  C:\Windows\system32\Gcbnejem.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\Gjlfbd32.exe
    C:\Windows\system32\Gjlfbd32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\Giofnacd.exe
      C:\Windows\system32\Giofnacd.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        26⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        31⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        49⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        58⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4128
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        69⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        71⤵
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4104
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        79⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        80⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        84⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        85⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        89⤵
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        92⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2484
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4536
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        97⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        102⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3492
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        105⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        106⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        107⤵
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        108⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        109⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5000
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        113⤵
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        118⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        119⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 408
        120⤵
        Program crash
        
        PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5140 -ip 5140
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
55KB

MD5
f176eb161c63a5ae9b3c24eb4b0dc529

SHA1
cb3df1a039110502882a821e744269b8a4ce36cb

SHA256
29c5e6b437cb8f3d013d0f52ca4478215a41ade355dc4d8b5f9743d0dc0b867e

SHA512
14571eb0fd4c0fd8eff7cd6c5574b42dff979a1ab936f1b79eaab20700eb68dcd01f98bf385dc592c1893b6e42c345560da65da5c61512f0580a4c8510405ab6

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
55KB

MD5
aa3fb8b9f92540599c218816f0e8d222

SHA1
b50000f78ba982ad7ef5ef11c3d4752475934ec3

SHA256
3322f3dd4fbc5d51ee2191e8073e611562f3f3c6c7515b725419c527580c73ce

SHA512
207b5ed4d0e52a4b996d301b7d7c4f002c929b4f09a2757a88c7ec15347443289f03de47dc8cf402cb8362b3d2bcb4baf345985b18a97c307499cda78361dcc6

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
55KB

MD5
cb669e4cd66d9101f4f3ec108f5273d1

SHA1
9b0d522e45a214aa6b22f5d0c4f0929d3789db0c

SHA256
0093cf33b8311c522061b65032504975310135139bc05532a19e4de92c770d9f

SHA512
8fe2c2e0a060e20756249cce36126c333cccb4ec79864546ba8ed11c3dd17efb6106278335d0f04fd663817a8eca11a460cf9f5c2315e0457507df10445c8d2a

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
55KB

MD5
294a390249c0d8bc3c4d523ec05dd046

SHA1
ebc8dd2c17c7606b5953df142a68e6db0e29ac6c

SHA256
5c8af5f583a397fdfd9f4a2396166dfe9cc3a0f512edc5f40c8a72636c93d080

SHA512
c6c36e784a999cced5bb1f2cb7b5ef5a4fb40660d3463a7be6b6ab17f2321ba069bdb5aaf55c568854c6df2b66a886e401071e3717316aab757f758143f7f6ae

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
55KB

MD5
df25885616b1ffa2c14b0a1d4b5bda53

SHA1
7216a754d6a9a893a691507eaac736c6a855188a

SHA256
ddbe4adaec4e3e153a33305ba19e41a1955ec5ab18927a5e892e387ecc5fc8d4

SHA512
8359078b144ce2feeda3e273130e4496b2e56d226dff48f46de8f5a60706fb68bdc8c35d8488de91a981dbb297d1835924d36626bad8753f96c28ff256f01260

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
55KB

MD5
4ae92df2539a6a490629e0db71483160

SHA1
4edc4d3b3b69d15ff45b756a56ad93e06fc6d2f2

SHA256
0c0eb6acd9fa79da86ac855aeecf057cd6f8655c288be5dcfcdb358556d78f16

SHA512
61b56ad413b7626a833993be39a55b4a8690321354cfd565eaa3b4f16ba2cb26adbe9952e3eecd2484b6e4e6b3cc2e415e5b8f65ddacacbd0bfb0eaf45149c4e

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
55KB

MD5
a70fe53811c7f2540e28547814b0b0bf

SHA1
1c800e5ef919f501eff1f9b3ed9bdc519751a88d

SHA256
9f79a2fe7a4f87b769a699d53c3c4d9827ddde9ed02508d537932198bbdc9a66

SHA512
6754a687145b1f6251a4152d230e913673945e221c6cf53811b1e1c89a1df5c014e3b9c87f09d53c3e1d431e7dda648a63f34d26ec0a10cf7e4a458c92130058

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
55KB

MD5
f3118c60b8ce3a1c3c42db3cce99c3cc

SHA1
c7a766b51820f26143c6b0861cc76f966195f631

SHA256
1a682c937b34763ffe9f6206f53e979df9a37ba25bc896106825aa5f349d3ad1

SHA512
2e73c9fbee2f4271e44e31b9b325b09e8230d43180b1b483a76f6a3290de771a0492d64540f2e1f4c6628e63ecd6c9131346e2efeee07d07edb501634610f929

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
55KB

MD5
1bc57f2b61eb3a9562bc79d51e0b0c61

SHA1
8abf95420c591034a74deaf1008f6cf0f9c585df

SHA256
bec7a0bd651aa001a580b7feca9be44b25c33776a10e5084675c1efeac8d2eb0

SHA512
530437dc6f54788fe388ee730b12bd1503b02ff4e08f46e435f801c1890dc652ad220a1ba699476971242676af96142edd38e1f633c6e85040845cd1636de1f0

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
55KB

MD5
a33a32c3a2e553c54e097c50861cb897

SHA1
9e493893b2016b2b0972d2ec91523e2479780927

SHA256
71cb87800e34b84130161da817907e528d14ded8f37a5ab6c2c19a17f02e5f06

SHA512
91e4f5d2c7d2ca8a8f656e666b9143ca8c2fbf641c73289075838e585b52ff1b0bd6383cac5dbb60458c9ddc941fb425521236cd42d8be1de42a3dbac4032ff3

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
55KB

MD5
6c398c1f9bd8737ab2752bf79281fa36

SHA1
fb0b15cc64eac06fe6974835d2bd8de9a6d33464

SHA256
6331147786493346e5d1d3c3a0babb830d859450410cd26f801f45db619c248f

SHA512
5d4a7fa6caa1eff2360e4dfdb554fc0072d1f5373b4c4b1352aebaf6cc45049cb880ee935c31b3ecb8a5486f047f02dbf1340aaf109fa50aca78add9209d2cd0

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
55KB

MD5
185c7e582bef3bf2bc769a5f9efd2d0d

SHA1
48ae68dd3f2aa629b69921ad6cfbee9c41d8acbe

SHA256
47923775b1cc3e632383a94ef389f70c83fb40383f55f72edcb8b0afe1a241d4

SHA512
2867a603af15855fd56ed05a4722a81bdfd6cf5e16fc77dc7534f01df25de2afcf8a368a5d940ca998c83b9429e2ae2c0f10db3e7f621f1a87b5946dd90a4339

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
55KB

MD5
1d20382288bac67a4a0c208840fbd67f

SHA1
308be2d31619c21a6d87385b21d3f2abc416a156

SHA256
e47d1749b65bd113896c55d1d8f6c6b011cb0c17bc30f08cce9f457b289120bc

SHA512
fba4904ef91f5c6723fd21d746452c88d29d68c57279d16d663e212005c2fab1e2219e7f2e1f0b6458810cb638ee7dff9f745161ebf635a83b3aee0545f68b25

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
55KB

MD5
dff75bb3142792690c0b60a574425717

SHA1
7fb75246d85c7b75845f590ea87f7535adde1ed7

SHA256
60c0ed93fc5a67ec7c2bb4a1cdb956264fbd17eaf76d64bbd6fdfa1c45660397

SHA512
806a056c9e8dbc95d185d185b611ac433b306e628168f27a3b5868dc7643dc1b5d9469d9915b6914b60a629996edb927914b2b12bf59431c36ab4f6f6e2b3349

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
55KB

MD5
dde2693f040b281fe2910639ba1d73fa

SHA1
84d8104dc5f92a66c682656b7e1a2740cefe67a4

SHA256
d1a7a5713e6601c0a5a006bc4df290f817ee9b7d760886c77402b0077efdd073

SHA512
fe16f413e8fe06686f4fcc9b2625a2d872481b20e501acdfe3311bb5873e4fa51862bf6c9368a3515d9bd3ae80c40f022943623fa3b632525c33732b8f7de982

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
55KB

MD5
851b5530ed2f6aad79a1067eef4e5a2f

SHA1
9397824f0f6ae124a34b06f3482e65171dba352c

SHA256
91fcbc317e7b509f8f104aff0c796d419a43d20118767ea75d9c81e202d65bc4

SHA512
9f0e3571494e77dd0033bd5151e88ad40c5f44d49b514e332032a53648be8c934e60c0a16ee93eb248a548f98dc2cffcb7962605fd1e394ae02b2996fb3e02b7

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
55KB

MD5
0f8ac250eb86f679c83f8c020437c443

SHA1
8daa4b8995b06f77c5cbbe25b77b14e5d13a8d5a

SHA256
fcc9150683da17aee490dc71ca1822b6a4370a34bf26bbf636b74c189b8c55c4

SHA512
2385bf72453ebf1b624d22e70acb60ec54065b50f5f70dce97799cd5128083a4b8e33db417ca91e5a04e1fb794ee4a418d2068938fc1fcfef7b9e207e87f0b9e

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
55KB

MD5
64f75fb04de0d3de19c9420502612e30

SHA1
91ac6ff8a20d7e3ff508f2ddb6ca7a2fabf0fc92

SHA256
53052382b9a82d37d65a6d4b0a147c0cad96fab5bc6f651fe59847dd5745fc18

SHA512
a66efe4cdc703565493e2a30b88fb6fd707aa4024d125fbdfc8fe1e3f5346b897ee2c14556fb1f3ae965c14eb2361ba32b517a2346bfd4935685ef915596bd1a

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
55KB

MD5
c6f4729b70c0126ad81654e110a1baed

SHA1
316eb06fc1f2eb0eb0c96d390931e2d6e95592c3

SHA256
96dbf50cbc9216f6ab78208321f76ee7df2d48c96b1d486a33fdba1963637096

SHA512
49a4280186da13da660283e6d79fa4a1899e3983227aa88f7cabd8c82b18bd4c724d003e1512b7615ce31b9f1a9eb4f7410a37161c779096b38bab54f34aac7d

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
55KB

MD5
d29a5f61aabc33af752376721d75955b

SHA1
f7b048414adac3fc50df2c7b45e1bb04b38bea17

SHA256
29f213729aebf34411622cee35e2818056d15f22ed2f52d25abd067d0b8f215b

SHA512
94fbbbaa496236267abfa6ee5457144a2a11c87979d4041812ff174223f509b543ddfd50e88eb6b6513b56be6f5574c69f29b5968d1470acb8b0743789e52bad

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
55KB

MD5
4f7a512e54a996d4c66e6ecb04837f24

SHA1
9c5dbfce8e7e57640a84a2431d270a0c6b58a9b6

SHA256
6d75ab81ffd1a118568c34647b504dcd1426a7efcf297efc11e8a4a75d984ae8

SHA512
cc8bfff22821f61bae7e1fdfdfb40a5eff29edf9a4fab13352b233bc672a8ef1407c929513895654faaf07c445b779760c38c4357ed5916d7e392f04e4f8789f

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
55KB

MD5
a88e3203cfaf2321a9a5a497d7c41926

SHA1
ab969b259064c3c071a81914079e0345295817db

SHA256
b070d18c6462ae5b488913ecfe5e039989c96915fb244422e0e9dcc1b7ff0643

SHA512
449e59ac22338abb8cb924c8ec3aa902e9580b7639b13c13ffd471d5a319c9f58da49ce9dc27221006414ed0b016b43b706603425d0598e17f0430a1ac07b678

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
55KB

MD5
ec8f2eca74e5c7c682b52271ad1032d5

SHA1
0b4be863cfb7db4dfbfcb42d6a03245eb0dec6ec

SHA256
ba922fc76407d6c1b9859b583977df90ced6fefea9026aff777c7a16e4ad8026

SHA512
7799d046283680f0f1e61c912f8380257c2bca7b558388621fb3ade4e680e7af414f0bf74c75f80c9a712d0aa3418cb156c3a7345b0ece3c22f3db2bca883fcd

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
55KB

MD5
c851adfc8dd2a41ff916c42a9f1fd8b9

SHA1
82d7aaedf594d6a80b2157364bf9d6413506646a

SHA256
1c5c7a802345a5b1b1398f6946d5e6b195e4e1d3822d29a3657ad0f9aab83acf

SHA512
c25da009ecf050b5c063a181bfc18b92564d4738088d006913499d60eb3093d88066869f204f65d268fa402fc044df957f149bf2c36220708e302b348e212a6c

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
55KB

MD5
32dab62f2cd9dd93c7e3ce6aa74b513a

SHA1
99cccae860e5cfc84edf9370913213c497b128cb

SHA256
db78bb96f6fd1323fc7da47d952c705153b3252c0eb1e30c9fe71041d34d5411

SHA512
64f16b0ec3ec1e6a05374a2925f2169394bb8fbeecddd06c7df044c1c1026195a2302f63169376a5b5f4232a195cedc31d789091b09f17267533cdedaad6ef35

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
55KB

MD5
3037f6a6c85c93bc59a24cc1781469c4

SHA1
56d2289a41f63be2ae8470e840e8493c3ac818c3

SHA256
d18f96fe2ef548bbd84604d1a8946ca8151adf3891efb70381b12111225dfa44

SHA512
ffd139715b713c67fcd925bc2fabd6e6e012fdfc1ef8a32bbcff8694f3c8d6cb67026cf56d060179cd7bfa7a88704beac40f4cc1439d1cc7a7bf6be33e3bd1e1

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
55KB

MD5
a4484ce84183ce55a623624dc7dbd902

SHA1
89f553de5c567e55a4bd220a9dc8cc80fa329b51

SHA256
04400e26eafa07d0472c3fe177bc28549f8419eb4b05e47873027c9e7a3b251d

SHA512
06f5a2b70174eb476bf2a818f23b25c20607ee5dedfb49c3444a11257bba4915b440f68e8188073d552ff5273ac03d136abb2593806b3722d5d30c40312175b4

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
55KB

MD5
ee8a1359e41c8739c5a00a1261c1bb34

SHA1
9ba39a7db51ec94077bbd18dbb290d0eed5ddcd8

SHA256
5b575a2c2adf01084f1e69879b12790d6135b997cd0292314af59648e4e9c7c1

SHA512
8ea4cae9550e96bfc5feb72108d2cf7ef95dbc0e7477b0d85612ac09727426c76ba2eb4bb012f899c91a2e6d121b9df434d778e6ad1409967592a20f1bbc1dff

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
55KB

MD5
d3db1e7663bdb1badada3b3fdd88c013

SHA1
8b83b9bc6e4dfec923058c2f589c8a8b74dc27b8

SHA256
ecd1192e3b00d7f35d7d8bc19fe34061445ba4ee190a65987c6c8a407af16761

SHA512
652b2d79d4d22ed6f4742de8dd9e409f36a34d58afa39ad972e010ed65e2ea41f35d82a7f5516f9fbfb381a2240088fe1bcc8d5e3f114e36248e5b158a462dcf

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
55KB

MD5
ddcaf30e3ea0c81d7910d2002d517000

SHA1
d46c307852ef5711feec37c4c82fa6b25b6015fd

SHA256
42b0e97749936147f92e4594b6b0b8d5d88ed3817afc871ed77918eca85118fb

SHA512
2f59066467d6d188765c6c36138f282d6cfd6d8151fec569e804d8568c8a3ce740f3fa02af8ffa87ff18bb33ed895cb736dc96c41096ce76d313b88f9f82e975

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
55KB

MD5
ab9272bc86c30d6df42f96d387860554

SHA1
6bb2ee1d4b7735671a1d44873e1c960650f298aa

SHA256
92cb2257db98d506c6f449d19529817e7d2d4ceb95eaa4a9efbaf83d64155703

SHA512
895373ed475a8f9260f13fe8c051686ac791ed287f5b03112d6fb24ad651207e015976e42ec6d1b59e77db0149146dd440a8100b5704486a4b1ef778a4de51af

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
55KB

MD5
47f8ad2b699d136d73d46476689e0e07

SHA1
7597ab23dbbfd149a83c9003e3a375e869de4be3

SHA256
3db741c02bfca4f5c8d10041a7a53ef92ee4ef352129b62d78b4bde897e10b37

SHA512
41923664ebf368d4483ab0e6714bf8c6e33a4329ef0aee0cf54c53232c29050d84cc7e2fb88f7100d057d26d93ff885a2107a2457e8264c3acd123bdd82bb733

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
55KB

MD5
bd4db85cadb75e05bd4aea4fbe061f5a

SHA1
1c4f3999d16883b387eabc4e74f7507e9b34fb36

SHA256
b53a3ea4ef23b6543492e9d057791778e95c22405bb4535485906faf819291ea

SHA512
18a5a4656931666a7ac5a8d95e924e1babcbcdc4950249b3be90171888164442613c824e9babb1353a7e8eb33388cbc4553a3499f88cf2bc28bf3294a536d8c3

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
55KB

MD5
576c540d9350cb83d74e8ed64e45ece6

SHA1
1cb5fde2308f6d8ce8c9a4eff26c4f6b8258d7e7

SHA256
8339cb4b4a8c88ccad30d384f775a5f4496d355f15292c19c78f20e0e38bcdea

SHA512
c38cea1770566f3c3619717e8ed622dd083157c17577b2d8767b4ae47fe3c983e11170faa8843341d48ad763cb9d53ec3f5fe7a314976aaef49ce084fb20f0a6

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
55KB

MD5
be3a58d05df84a6bebcaf6a6a694859b

SHA1
36fc1cca91e75c849ca27f05e8bd5bf3213ce592

SHA256
dd7a331ac63aa291ed0937f20875ea40d2403d22b21bf1ae9c5d9c52c86f34f9

SHA512
6a039162b00777c9f0cec21120e5ab2b014ff1328d3a136e38ad9e4224893093cedbb53fe6af90a6a850d1cb0240778b86c3c646ecdaa15ddab9374be33f77c7

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
55KB

MD5
c4d29386e69403c8173ee4d46f87ccb4

SHA1
204d520fe6c6d13340b4e4ae24a5da72541bfe48

SHA256
90f52562d4a5d89f417f11ddf6a04d77d11efa28ab69b01b0de56bde0fac9edf

SHA512
a62c67bb3c36ef2c387f5298fbf33b0bd2642265868ea5df9815c9d61fbe2f42f4c0f1e15f16bb8c89e3a69a95a5e8ca1ce2a3f303eee1770fb7004a10ca841e

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
55KB

MD5
19ead57452d261a67bb0ad12f95cc090

SHA1
6d0ef5ce217d13053808fa79d67f937f6f42f331

SHA256
7121ca21a2f56235a2c10525badc224ca82e7fef406d2609f83e29e107f9dc80

SHA512
63b022a4baec2fe786551251d165528c7531990702962a27818e5eace2f5c9fbdf4ebc048b87c8d34c0da62785b9a5ad6c9439fe7b9abf4b9e273f81214c61b7

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
55KB

MD5
e0f2d45e7eccbcfac04f11c7a2e8a350

SHA1
28327843ad8e469f1462289a53e2e81518fe1372

SHA256
a47d8c09cc6c236c1d85641506aaba75c13cd15d500767eac85a6bcb573f74eb

SHA512
adaf15704c6ac7f53d98a02cc8cc1f0622b4225e153af79539715a1ada7f42d82d867dcd3cdca79162fb852f8ca545c9773c6668dac02f566276396d629df8ce

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
55KB

MD5
eef1612f2f1e9184e59dfd8c2ac246cb

SHA1
3fee75ddc3ce3dcd05895a542a99430632ae4b8e

SHA256
b4e28f6e91b725ae5ffd0e2d74422cfc70bc296b50e907d64943f05241eb837f

SHA512
8973b3bb688d84501f6d4efd4ebf4930b849c89a7b70183f54cd391d0b2119f61892cfaf2df30defb6bf48959f0f5ed459a70320e99a7fd9a8d5e87f016d4a0e

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
55KB

MD5
c2aee3caf6cf0677f635f7e742f7a2f8

SHA1
39553a8dc78ca7fd2a66f2b5b5f61fde1fb46e1a

SHA256
8cb1a29eb4d01bc914a3d31e7463c70120f64832c11bff26abc5cc2699945336

SHA512
e8e35cf6c37bd4f381b92c4fc25126f36a9700aca02574ad9ff5b5f56b320f6eb7a46cce826a17b5d6a0e26e2d1e9ae12e0edf5a6b696d083122ec4c26e13444

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
55KB

MD5
dbb399846005916ced742d9c30de3c5c

SHA1
d1057fe84186560062e6194311d9a5fa9fd7d416

SHA256
b169ba89b06e442974fe21eece7626275d08ad992499ba200d48bab4b43899ae

SHA512
74a6b97b9cc818272aab0a05afb248cbcf91cf86a300bfd920be105a7d68f162e207542789a6be37f9ab3d0101df7d47d72b8c75564492a1f2df0cfdce94feb9

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
55KB

MD5
6c515b254865a770982a0edf8c63b17f

SHA1
87d86e9bdb5a7191f4b93d651f5164ea52f7fac4

SHA256
cb99ac024330b3699eac0cfdde3330fa2c9cbe429da4c5656f16a1dc3f34ce2e

SHA512
2914962ee95a2311a7d53485e32f3e7679279908cb6fb8d0c6a14c806b831cfe8a832409e5683a8a3d2ed97298fcb459653ea77a1acc2cf0aab6849c1619e762

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
55KB

MD5
cbd6e82cdb3d55708599cd55ee522139

SHA1
1cda53d4ee5191ee53a0acae248333c34c0baf90

SHA256
d9a74d31a2543953d99379ab156c1faa6a36c3623250451674b3508ea2fa0070

SHA512
9a701f9d2cdd011bc545c7534c8161eb6763326661d598e0bcf8e7fbb84b17201aaf046fb4f003eea07d69f533ee9a41d28b893034c6410b0efa13e3e28f80cd

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
55KB

MD5
eaf1d889f90dad4f9857627da6b00c0d

SHA1
370655573dc49223717f6386b990848147b62e1e

SHA256
cb62b3e2d0204fcd8db2745b1f42a64dc5102606a50625c47a00494d3750f1be

SHA512
a16b24e9fe7f8c7959a8ebe3ceca173252ffe44c78749db85d69350b3a7df19883f83071694e2bbe7e12c462c3b1614104ff186cd87df07364e6fa80755236c6

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
55KB

MD5
ec5c181939c1afea2a517eb59baed49d

SHA1
7fe4e5ee4c25fc345e99d9818226be64f49d80aa

SHA256
f8efa6255a490892f3d98ee2d29fea9784fa37df4f883a6f6ee3bb2c55c05f4a

SHA512
d08f789cd0f4758be8a8327d8eb77adbf977bede16e32be72d5a146ab8d4b8e7c8a32e21b00c105a84b00d1ede857ee274d998ad7edcad78afffabf3df5e99d8

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
55KB

MD5
dbcf7fe2b4cc7cce275eec28bf249466

SHA1
7e40ba8f93a24b14f104b1c0542944bb3381a370

SHA256
3fb01efdbbddf8e277c7b62ee7402828ed76bec8d2b8065ec4b561541e4b0196

SHA512
4d430f2b68438666a9b1703d78e7fff2375cb8de26b075fbade69ea4fe2cac465724599b65663932d1912ff8aa1898bbb2ee5ee7bd6abc584f2cb7dc47d48b03

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
55KB

MD5
e27f2bcd3a6f374b7b74f630d8f62c77

SHA1
6591648bc5db7fef8f218be4267ffc31dc469e96

SHA256
1337325baa6d786b27b496ee167823d0cb11a0f08de860b0c5daff7b967e11eb

SHA512
61859bfbe9d0c6fea06bfcdb7019751707b794aaccf8982ba31fe866b19872ec4747c3dedccd29b653896bfc060e50dd04a5e91e12c657af391b01142aef066b

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
55KB

MD5
71740fdc93395d85d1bf28deeb983bc9

SHA1
3951e08d1b3f77ec4cbe2eceae3f70196222f429

SHA256
82cab3ce6ab0298e27aa32b5bbff193ab32521582c1fb95e5a64c4c9282b0776

SHA512
be6447b5ea4961f799d8153bba6b8a98c4ba78ebf1234da4a1d8844b8bd9eeaf41ded916ed2fe89d82c2f2a5555b2cceda7d1f12032228f091d327bf8fd418ba

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
55KB

MD5
cbc56c7704839d74703f10541bfec31a

SHA1
44af01524d7ae7af1402191d6100bad9312f8b56

SHA256
a6ab893cce12f59d834ab86962fd9b9ef3d106937b7d444f14cb073e0e7bc109

SHA512
b52a9a62e71b2972c8615a6ae558e9d9745c9d72f52cb50be33a610fa0798c78e23955010def2689e0c2d6079b8214a55caffd3af5a17a1444d24ada64919a26

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
55KB

MD5
7422e002c749cf1ba4caa990b617e915

SHA1
aaf53455fd27d6a447ffee68a0939e6d76dd6751

SHA256
3857ee50cd69d26d2fcd191f74d38a15de2348e1bf601449297ec69b2062acba

SHA512
decf576258b5620937d27e914f972e4826c6a03ff09fc08b7d226efe9589984dd2aa23b23d4b53b9992cf92038367d0ea3e60d3180ce6b0cccdf996b21aeaa89

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
55KB

MD5
603b1c3ffa9db7166b14c666a56befb4

SHA1
f94b1218c0f022bd2267a2d3fe1cd80625a1fb25

SHA256
1558d946ed90f9d11da2bd1fe9bbbd367fc2713065be5474077e4e151b7a23b8

SHA512
89a67ecd59b27fed1db1887024f903a7684705535a8374a83ca87084100dd2bdce8e11e20b98a80f47fb4d098299c386e466f541ce0597c88b7f15eeecee1044

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
55KB

MD5
4207fedefbd9704af9522b2d79cb6ccc

SHA1
e5c088427bc8b72c1340c2ffb2114a828dfa5177

SHA256
650f5a7ea8a68253c4500f9605ba01b5306bf5e8487182ae9a4a7336ab086de4

SHA512
b123e45bfb64951f941f1e708e442020c6a5bb305d7add122bbd066ec2765e0b452c93af9dd298d34849f4759cca8850c9cd8e3e1e70e43640ec70418fa9074e

Download Submit
memory/8-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/348-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1260-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1260-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-849-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-822-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads