399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e

Analysis

max time kernel
130s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 05:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe
Size

93KB
MD5

20cd6fce827f7d5e755146c855e658b0
SHA1

1df15891c96f7fa8441745ce8a7aab3c59fc4bf4
SHA256

399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e
SHA512

c112704c9637da0cec61ec483192a68e26409758416c3dcd8a1f4497cb68ff36943589792803361424f3ca328da08bbe941fb44ffb066629a5ab1cfc2311a111
SSDEEP

1536:3E2E5U+/N0+P96x6Pg+jNja7My0BXRHziJHp3/OJLsRQJRkRLJzeLD9N0iQGRNQX:telP96x6PgW278DTgpvuAeJSJdEN0s4X

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe

Executes dropped EXE 64 IoCs

pid	Process
464	Ffjdqg32.exe
2132	Fmclmabe.exe
4548	Fobiilai.exe
4236	Fcnejk32.exe
2588	Fijmbb32.exe
1820	Gcpapkgp.exe
3404	Gjjjle32.exe
3988	Gqdbiofi.exe
4292	Gcbnejem.exe
3032	Gjlfbd32.exe
3656	Gmkbnp32.exe
3104	Goiojk32.exe
772	Gfcgge32.exe
4652	Gqikdn32.exe
3208	Gcggpj32.exe
4400	Gfedle32.exe
2944	Gmoliohh.exe
740	Gbldaffp.exe
1816	Gameonno.exe
1608	Hboagf32.exe
4144	Hihicplj.exe
1572	Hpbaqj32.exe
1828	Hbanme32.exe
4572	Hmfbjnbp.exe
2696	Hcqjfh32.exe
4152	Hjjbcbqj.exe
4892	Hpgkkioa.exe
3600	Hbeghene.exe
4332	Hmklen32.exe
5060	Haggelfd.exe
1876	Hcedaheh.exe
4988	Hjolnb32.exe
4412	Haidklda.exe
4636	Icgqggce.exe
2296	Iffmccbi.exe
4048	Iidipnal.exe
3948	Ipnalhii.exe
3108	Ifhiib32.exe
3484	Imbaemhc.exe
1484	Ipqnahgf.exe
1468	Ijfboafl.exe
4208	Iiibkn32.exe
4484	Iapjlk32.exe
1452	Ibagcc32.exe
3964	Ijhodq32.exe
968	Imgkql32.exe
1604	Ipegmg32.exe
2836	Idacmfkj.exe
4752	Ifopiajn.exe
4824	Imihfl32.exe
4880	Jpgdbg32.exe
4976	Jbfpobpb.exe
4376	Jjmhppqd.exe
1940	Jagqlj32.exe
2092	Jdemhe32.exe
2924	Jfdida32.exe
3236	Jibeql32.exe
3504	Jaimbj32.exe
976	Jdhine32.exe
1556	Jfffjqdf.exe
3188	Jidbflcj.exe
2364	Jaljgidl.exe
4060	Jbmfoa32.exe
4940	Jfhbppbc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6192	5188	WerFault.exe	234

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpmfddnf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 464	3336	399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe	82
PID 3336 wrote to memory of 464	3336	399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe	82
PID 3336 wrote to memory of 464	3336	399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe	82
PID 464 wrote to memory of 2132	464	Ffjdqg32.exe	83
PID 464 wrote to memory of 2132	464	Ffjdqg32.exe	83
PID 464 wrote to memory of 2132	464	Ffjdqg32.exe	83
PID 2132 wrote to memory of 4548	2132	Fmclmabe.exe	84
PID 2132 wrote to memory of 4548	2132	Fmclmabe.exe	84
PID 2132 wrote to memory of 4548	2132	Fmclmabe.exe	84
PID 4548 wrote to memory of 4236	4548	Fobiilai.exe	85
PID 4548 wrote to memory of 4236	4548	Fobiilai.exe	85
PID 4548 wrote to memory of 4236	4548	Fobiilai.exe	85
PID 4236 wrote to memory of 2588	4236	Fcnejk32.exe	86
PID 4236 wrote to memory of 2588	4236	Fcnejk32.exe	86
PID 4236 wrote to memory of 2588	4236	Fcnejk32.exe	86
PID 2588 wrote to memory of 1820	2588	Fijmbb32.exe	87
PID 2588 wrote to memory of 1820	2588	Fijmbb32.exe	87
PID 2588 wrote to memory of 1820	2588	Fijmbb32.exe	87
PID 1820 wrote to memory of 3404	1820	Gcpapkgp.exe	88
PID 1820 wrote to memory of 3404	1820	Gcpapkgp.exe	88
PID 1820 wrote to memory of 3404	1820	Gcpapkgp.exe	88
PID 3404 wrote to memory of 3988	3404	Gjjjle32.exe	89
PID 3404 wrote to memory of 3988	3404	Gjjjle32.exe	89
PID 3404 wrote to memory of 3988	3404	Gjjjle32.exe	89
PID 3988 wrote to memory of 4292	3988	Gqdbiofi.exe	90
PID 3988 wrote to memory of 4292	3988	Gqdbiofi.exe	90
PID 3988 wrote to memory of 4292	3988	Gqdbiofi.exe	90
PID 4292 wrote to memory of 3032	4292	Gcbnejem.exe	91
PID 4292 wrote to memory of 3032	4292	Gcbnejem.exe	91
PID 4292 wrote to memory of 3032	4292	Gcbnejem.exe	91
PID 3032 wrote to memory of 3656	3032	Gjlfbd32.exe	92
PID 3032 wrote to memory of 3656	3032	Gjlfbd32.exe	92
PID 3032 wrote to memory of 3656	3032	Gjlfbd32.exe	92
PID 3656 wrote to memory of 3104	3656	Gmkbnp32.exe	93
PID 3656 wrote to memory of 3104	3656	Gmkbnp32.exe	93
PID 3656 wrote to memory of 3104	3656	Gmkbnp32.exe	93
PID 3104 wrote to memory of 772	3104	Goiojk32.exe	94
PID 3104 wrote to memory of 772	3104	Goiojk32.exe	94
PID 3104 wrote to memory of 772	3104	Goiojk32.exe	94
PID 772 wrote to memory of 4652	772	Gfcgge32.exe	95
PID 772 wrote to memory of 4652	772	Gfcgge32.exe	95
PID 772 wrote to memory of 4652	772	Gfcgge32.exe	95
PID 4652 wrote to memory of 3208	4652	Gqikdn32.exe	96
PID 4652 wrote to memory of 3208	4652	Gqikdn32.exe	96
PID 4652 wrote to memory of 3208	4652	Gqikdn32.exe	96
PID 3208 wrote to memory of 4400	3208	Gcggpj32.exe	97
PID 3208 wrote to memory of 4400	3208	Gcggpj32.exe	97
PID 3208 wrote to memory of 4400	3208	Gcggpj32.exe	97
PID 4400 wrote to memory of 2944	4400	Gfedle32.exe	99
PID 4400 wrote to memory of 2944	4400	Gfedle32.exe	99
PID 4400 wrote to memory of 2944	4400	Gfedle32.exe	99
PID 2944 wrote to memory of 740	2944	Gmoliohh.exe	100
PID 2944 wrote to memory of 740	2944	Gmoliohh.exe	100
PID 2944 wrote to memory of 740	2944	Gmoliohh.exe	100
PID 740 wrote to memory of 1816	740	Gbldaffp.exe	101
PID 740 wrote to memory of 1816	740	Gbldaffp.exe	101
PID 740 wrote to memory of 1816	740	Gbldaffp.exe	101
PID 1816 wrote to memory of 1608	1816	Gameonno.exe	102
PID 1816 wrote to memory of 1608	1816	Gameonno.exe	102
PID 1816 wrote to memory of 1608	1816	Gameonno.exe	102
PID 1608 wrote to memory of 4144	1608	Hboagf32.exe	103
PID 1608 wrote to memory of 4144	1608	Hboagf32.exe	103
PID 1608 wrote to memory of 4144	1608	Hboagf32.exe	103
PID 4144 wrote to memory of 1572	4144	Hihicplj.exe	105

C:\Users\Admin\AppData\Local\Temp\399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\399391cd620c2b19c0dc3ddda5569488966726e32f6c13a3259539e02ec4c97e_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\Ffjdqg32.exe
  C:\Windows\system32\Ffjdqg32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\Fmclmabe.exe
    C:\Windows\system32\Fmclmabe.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Fobiilai.exe
      C:\Windows\system32\Fobiilai.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        29⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        31⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        33⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        37⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        42⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        45⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        47⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        50⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        55⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        58⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        61⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        68⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        69⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3936
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        73⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        74⤵
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        75⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        76⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1308
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        79⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        80⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        81⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        82⤵
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4260
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        85⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        87⤵
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        88⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        90⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        94⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        95⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        96⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        98⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        100⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        102⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        104⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        106⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        111⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        117⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        121⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        123⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        125⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        128⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        130⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        131⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        133⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        134⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        135⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        139⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        140⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        141⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        143⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        144⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        145⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        148⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 412
        149⤵
        Program crash
        
        PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5188 -ip 5188
1⤵
PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
93KB

MD5
8de5cb8442229bcef90cbe6653a9feb7

SHA1
83c4f5f1231137bb141b436a072e90fd5afe5725

SHA256
7e087cc9e32220ff1289a6b858f82467f52402e9c81d21098852b6a5b54c6679

SHA512
5b448560adff94abb53d7f6ad47d0c274271d1856d215747c555edf438d70a8c6edf34e1d1b5da723239214b210682940d68a41f4df0e34353864a089101ac45

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
93KB

MD5
e35c5b4c334529d4fb26c5dec75d9a3f

SHA1
eace10022a2166ce1d0a45574fdcbce88b665649

SHA256
983cfdd1144cbdfa55c2534f07abaf0a43c2d02dc6754c47de3f25bafebf22b5

SHA512
c57e2be406452f5be1d82c6a5902a5d5c24d1147b9b8a96aac4395878e4cb8cb610ca105daa2f516b0327b0dd684bfbd9e0a8aec0550f263465b77eaf96ccef9

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
93KB

MD5
20c5ae039877e40f22f5197803c56cbe

SHA1
cdddb294d3d65257dbd594e0ea131a02ca5ed2cc

SHA256
16fd223357074be62db7056650eb257c481939e7beca4ae9ea478fc64f7b6017

SHA512
e7c9bc695bdcb925e54e5eab17ff57c386a6fa72dd3c30dcd8618b95cbed16cf2ff07ee6e7c6905f2b6aa0297985b0729dbac2a513bad6a00646065cb303d0e0

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
93KB

MD5
6ebd2a65f0cf142f0a8e90f336d42793

SHA1
ca55fbc5c61e651da6876787414a8481028b939f

SHA256
5816f94aa4e16b2196911826b7650e2cb503f105cd5e8e78fd55a3f7af5065ac

SHA512
9958d4f4388554cb5f051239c66df99f73c880a8c75b850a61356f4da0ce52475f391c4121886a8b601bcd906d981b0ae821a847b8d7435165b3e65e500a661a

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
93KB

MD5
a93f3b5ccd8f81bed977310c29021cb7

SHA1
90fd442cd6103e5c72d2989362f632fcdb8a732e

SHA256
1beb923756a5e867b93e55f4e0f2884b7d4ddb520d897a8f70ded4f90c49595d

SHA512
1cc5f3101f44f0b8f4ac86cb111bca31b0021ac1c35140927dd56c63585e04542726ea716dc38689ae23ace7f49321cd2da2ab081bed943f19b71956340b370e

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
93KB

MD5
6f4b5e0aac7314ec5eb052d9d0cf3ad5

SHA1
ca21b51d568e9495195344130993b2692bbafdd4

SHA256
7dcf1bf8d30d616ffb4efd2cd42cad8337584879f42d9ad884fb0d9a5b2c9590

SHA512
cdb021644cfa8ea714fa9ddd8663e99818724850ca1acfcce600659246df3a28a59cb4b110ea2c07c1b367be71a15b3e34b5c1f5757def1805778121295ab97e

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
93KB

MD5
3c2794f65886ab875517e99bac0d9a49

SHA1
250bc41124ddf3e0df3890d6a54cdc9e858119f2

SHA256
3de27de640b9fc1ceb8307e6f34311e8f9898b15f63d3f09351184d9fad50e66

SHA512
31adc43ff4686a25702b124ad856ab965e3f6d9e9874c877ea88889da8387c884951b3fa92280b371b415da08b1a57c107a4506faccb85d27462f5ec855df908

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
93KB

MD5
cdf34bb875798660fddaf27e06a1ed01

SHA1
1bf290aa00a0eabe3327a9891b7dc5d06f14a2a8

SHA256
3cf0c7f1aae160d493ae749862764ecd68227c66934037c4638f5b2bc7d01b93

SHA512
16bf60922cc8649074ff36cb8d8f500687e6ed26aa9b202eb4a51f363c8845005ce29160b044098c9c899d35b1863788b51c1ffcb925af21eb1ddf85c8c57d2a

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
93KB

MD5
1ae301f8e31866a9e715c5c72bec090f

SHA1
b6b86753e260c6473af960bd9112fde32aeca707

SHA256
4650f07cfe6cc34fbd5462956ef1f9eef49831164b8a624f10237c0dfd231f92

SHA512
7bbfbd8e27b992bfc08f6c667d75a05b9bb04e575f59934d58e2d8e9fc841cc084111f1b80b327b0247a24cc7aaaab1599bc92dac962c8d20be7087df2996fdd

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
93KB

MD5
dbd8151985643a00e4b9c32c0016142d

SHA1
4d567a9a4f39c7dba95ee4fb936a7ca84abb2c1d

SHA256
68cdaadb0015cb252c7ceb51a1dd40085b7397ea962d42e1b7aacb51ddf24ed9

SHA512
e9dab03dec039c1ebf4694b002c76c1fc7351d6c2d0572b214d5ad10487a5256c0973038ccde72e6d3fbdbcf740710dcd44b63b8776eb58df7179cd7791800a8

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
93KB

MD5
c5d8ae726954d803bcd0c6176f4ca10f

SHA1
9a080f74b409f4464bfd5c6504d5cda3f046464d

SHA256
28d1593225ca3f55bb5932545264bf7aa4dcd0f06170a50885807bb7f3ee8321

SHA512
842fd71ec04cef4c4db26f8e2ee07244689ffbc644ba3e76694dd585e121bdb188f9bada3a584a4e9e7794a21534a3df4324fd79ec8c862b4b87d8e59a788568

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
93KB

MD5
6c7ad9dcb805b83e435eda95efe46132

SHA1
5683702cd8e3e27ae8c83cf328d54074f514aae3

SHA256
d93bbef94bcb11368427d8c9ca6a8294e3bdecf6eeb9161e1eac07e6c1540b76

SHA512
f7e7bec2996fd1105a439786521d279dd2c8c6eb9959a937ca104ddd23c4b1e4807d234e44dadb75aa477243e56dd7236f86d6725dc164b60e56a3d9e1250d62

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
93KB

MD5
dccb03691f153fda5a223d30bcc6d401

SHA1
1f96ad0c661115964b47219936c58ca81118173c

SHA256
b66aa88a2d9a466d4fa21390fc899ee426cb92cca09e37f42db5e48d7a7d6767

SHA512
6bdfd8df83c1d9a616cef124b2e0691a5fe3132427196a7f79f42ec50ff440130526770e59f2c15536992dd32c0e31da94eb6e455abe7d964ffe2147c8129f7d

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
93KB

MD5
6df0bed69e4e26cb71b75ab06acde29d

SHA1
f38b6d75ce5252841a14b1a2c71fe9e6142c407a

SHA256
0880e2916858c12a10bf0888c6611a22771a0e679e132ac3f218bda138e47f28

SHA512
00db935aa11115e64be457f41bfb644dda2e1da75b3807fd42a62583757bdc247ce258bfcf9b30fe70a08d7792ea61ce7631ab86f6e51705606643bfa482e78d

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
93KB

MD5
c96e570b16499eaed7cbabc0ab57a61a

SHA1
63c2616d8a626c277468a225bcd27c36d0a7d361

SHA256
9c241b7c56370c055987c5cb50df37aa1aed202b964ec9c68052450306e0449b

SHA512
3ff7b01298e82e8ce10d640f9d6ed172c0e35ecda1d7d5f572058d8135ebbd82aef35a2c3c508fc5141007512ddef9adda8248206d681719dd5dd2e74d4d7dd2

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
93KB

MD5
889b0057df672afe0d17237b2fb3fc2f

SHA1
6d2b5f8d4039b1354ff34aa3ebed7cd69317a101

SHA256
ef1ba7a9e2516fa9da506471e1e1c78f54180a5ed367cebaa9b87e15fb2be941

SHA512
c2ab47da112d07e9a41c79acce266041c2e67177cc33531cbc489bc23d40012681c9bd3b77dbfbc60c4d15dbdd59e4b7d0cd3054d57654bcaa968c7e1ba49ec8

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
93KB

MD5
d9755c399adec98c2722178ced0e0418

SHA1
b7701422f82e8f97b0b9da61be5a23a35063c3fc

SHA256
9f74e1347b616abdc53ab3230643b9cb9bdf61194fb78f0682bf8b0154ce3f9c

SHA512
8ff37119f5c82d31f13812ec7251903d9502b91742c302ef5455482b47377e3dadb1d2c07de03adbfe94e861dc95de3eab27c08998bbb9b322af3b3cee95c43c

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
93KB

MD5
2053ee3464db55d611ae018acb6d128f

SHA1
4c44f0b81f974fdaa540d34d400fd51ba555e4b5

SHA256
26556f36d0f9a83a4ad0553447279ca7130d073bd211d08e6b8f0f7cbc8bc58c

SHA512
dca80221bcb090dab471643d2dd0dc977fcd4f64b88f79e00e16fe833433a328ce64dd107da4d7b50316b802093057aab296f3d278d54eb90005c1b09ca0b1b0

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
93KB

MD5
3093c927bfbfba45282a9afce9fb2cc6

SHA1
a522241fbb06186c9516323fc9a8cb4c64f5571d

SHA256
5e4c2f849b42efd740db8d553ea185ae4e52a96d06e445e76c7435f5c3d9359c

SHA512
23cbb07aa18c69ee73bfa28eff4c8569f713c6156e4a32d43e69daf657c096a8e088181c1a585e75cbb22acdcc362af7a8871cef48a533ae9046217c2e58164e

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
93KB

MD5
4e17cb71198460d359f068f762fc3f3e

SHA1
d9cb48038c2513781062d40817e9bc4ac84b0b5b

SHA256
d3fe0440e9531552ff53d95aaabbbfb3cfec47e96d0b33bd073fd2c0a785be54

SHA512
cd008a211547c5a9590c77383ac980e9022d16818a58e0d5f56d73d883fe6c77b5c5d27268397d7775fe7050d6c11c34841ce6518988a5f6f37f5ffe4d421be6

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
93KB

MD5
dedf29db560f7f12298f5cec97303c6a

SHA1
6557278639b19d097f26cd214d9009fc6aae4cfe

SHA256
4133da945e12a58938a6e9397fe78c51993b28071697f59a095e30478f25742a

SHA512
566fb26b1fc6e27ec887a6de552031553e9478bda63d87927fa4688ab0f466352b8d2c35a97440a54f4f29f2455efe573380188ee3a44cb1d49f70adc3c27e7f

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
93KB

MD5
40dda9d4a2badcca9515747830a15ee1

SHA1
6dbe78d59fb01e9b76a5fc67cf25f2bff5275158

SHA256
4214fe8caed5c52d63870fbb5e8b8654391ead002504dd136d0df99a8de023fd

SHA512
55a872f9d727da26046bc3b93707436b277618c0486f4f3c51889780ffd0f486588dd093086336a8dcf2204d54f03e4c86b51901db4a12a579b3b56add0c211f

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
93KB

MD5
e78f26d44d0c4ab870ce52d0e9408ad3

SHA1
a173d1b4520612e245750b8ad2a9993aed059c9d

SHA256
779224a82a0d16bc233b190b0d7c2e343df47e5f128afae7c9bd355c6cc422bb

SHA512
c664f444c1e9600c2adac3ab581a5242616af073dcf02789e9761bf4aff7fe4f36f714f32771cbbe4a232e19c757fa70e41cc73b310a2cd8dde09596efa0c877

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
93KB

MD5
fab848774df39dbe09d2abc8c143a247

SHA1
cb18db2d5d697716d066ae7bd27b10bd60fcb0ac

SHA256
51ecb8d6337848fd68a97011e75f77d7346d2fa480fe8d174bd82f618edd5fcd

SHA512
266338c526a1c0bb14131eff7f4769c562bf5b68c78fad49a9473a554c2e83883005947899c38f53a87ea2a9e58c9137e9cadbde7479a3cccc70ea8f02e6778f

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
93KB

MD5
54eb2fa8279b6a386e8940844b368938

SHA1
a39721db2d7cfe22864df0b3391bf001638ea24b

SHA256
baf354d33d422588d79a84f9782020c4843406161a66434b112ec3d2a636c556

SHA512
271e900b034dcfa125cc7804d2c9b830fa0df3ff5e477c095f96446af037ac3e9bec22e08210f6bf7d901b5e8ce05a189b532650bd0327cf5b34b8bb69fc37a1

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
93KB

MD5
76cca8fe2e1a4afe5fee89c331050e4b

SHA1
ba8087a0918f9c77b9a5f54cffda623dae5881cc

SHA256
8cd43236a8d79d71a17d2ce3ce401a1c39b030a8ae9b653a0c9a4aa200afbe10

SHA512
58ec294724a94173818fd51a7416e3e0201f7d6e5767c492278be212ffe62611987d2cb682ea8cde41aa46e99c40783021e6b7990b05dbfe871cb23ae6fd6927

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
93KB

MD5
22f0e4acd879c7b7e548a09195985816

SHA1
10140124f8e792e2b34d08edc7ed5cda886cd3e8

SHA256
0ed796e8543f5015300d3a75ef09908c9f059471f07e5ec8932b93ed275fe74c

SHA512
da79a52b939f33f6ad2c65437182e5344173ac5f672d3784ee54ae4d3baa22ecd3bfbe83f94005d2abea1e529687431ad07b58144c7db23a987ff30192433e03

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
93KB

MD5
324fe11aecf71f2a267e8af9c8d5aa91

SHA1
ea54443b6e1ab89d9de0bec5d025f492575b36b4

SHA256
fced4014fc987d51ef59ea619c06d238516df39eef2d7b043a64fa6a28ae42cd

SHA512
87326c5b59b46511cea281342901e50f14c1a5710e8e88a518779daa6069cf511cdb56dac491c42ab492d8aab6f0fb9ecd89630aa95b55df019c67a15c21a8de

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
64KB

MD5
9faccf6a86907901869f8ef2bc286886

SHA1
6d6bae48e47623ad94ac93e0a8174568f7543a19

SHA256
fe2297cd1316d6f04f75e596f9fcea99f24c6ea1a7391f35cecd63001166d683

SHA512
fa26b19f80d8ae0ba624bb5d9253db2e40148cc38e74430e4d67aad118578a0b7fb812fc22fd137891d60b6e4cb5b14fef805204be671f04e8ce2a803eddf7f4

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
93KB

MD5
ca463c61f3be6c1da76214f9060d6696

SHA1
bd833d94b29a0a30b469432d15ab8a898188a5b3

SHA256
436e4335057f38af5d3dcb7d980979a9a20b5ce18d818a6b3d1fc436576b7841

SHA512
84f59462621650873a99a55a7d30d67da4d7f6d1d7b786d13365f2faa46171f7ceb01a6d17460812a9cb337c858c253fa00e39cb747d427178943701ef6fadd6

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
93KB

MD5
3c378c627b22a757988f089c634e8aaa

SHA1
9d093ef63b494205313cb35a6261606874943aec

SHA256
26c250e8ff229eaaa252d825df9b0624fa9c18ca02f71007ed5de56afa3f72ae

SHA512
62c9d302b224706ae5f0707f032c2d5eb806a324efe0fd667400d24eb76be48c783e5c3db232498fa2bfb4371c3e2b0553fd740cf88cb74a5eda8b4906244ba7

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
93KB

MD5
3e2dc2237c4d8f96ffec1f3e0bd0bf2c

SHA1
82928c48c2144456edb90d551b53519bf23a1109

SHA256
dee33e13a4ad9bde3d5afba8be95586042fa66d7356dd29c8a2ca857fbe12066

SHA512
1f20c2292144c8f2fd4a255cb562249a14f24a958cda51cbcde9149bfef33c034f4fad1d4249b978026d9e6199ccb2847c175c8dfb263ddbb11024a05fb7dbbd

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
93KB

MD5
9b168cf93d58bf06bac2d8d17a149406

SHA1
27b9e684d2aecf34fa31217abb1749a9933ab82c

SHA256
a18c685005321cd3746182a7cdcb83dc9ea1f152d133ec2c6a3da7c086fed143

SHA512
10a563cfedc461342d1e10685f89108561fc2401e8641c421121ee2d09404de3d8a583d16a90140a600373479659b237d6b1e344d4ab6bb6b2a4a5ee64ed76d1

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
93KB

MD5
ffb2f350a2d574fb3188ddb6887c964a

SHA1
9b2b4cf0ad38887ac5ed04331e11f2361f734359

SHA256
9f31cd5a870e76744fa7b77333ee1b856c6d8edcf1c3072c7679a6016c0c223d

SHA512
d94f5d4264817f59d151b8bcb426757af6151d3597f6c5926ce86208f4a7c4ce2c04f6356419175f48b5bd7cfb5f801057291eeaa294c950c9251dcc590845c3

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
93KB

MD5
8f2a5f73029a09d0c7216ebb9e02f45e

SHA1
42e7f91739ffe8336de4dcd79543124c49b7f8ed

SHA256
1903e6daed8156b2903476a5687841b03aa1930fbd93bc1d3cc5062970960e89

SHA512
54dfca358b43581e9a4f67d4fb60d21ed57d32122cf5742f1ba774b6f3f5a333d69be556c9e0a8aee69bfce927b09a1603de85625617e4a72ac607abe6ab74a7

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
93KB

MD5
4f68985036870c9eb6fc6af16554c70c

SHA1
afb82f125b33bef731e0d6d64b49ffa15eb1f726

SHA256
3f4bffc83ac1c0ca054c9166c0a70cb4a69eb6ac48ab9669ddf3a3128e28e149

SHA512
389cf0b2240222ccdb98005bc1e7b5e218d4ac4c9c76c9d477b31bff4229290441e93048e2ef7624efc388d7232822bf9d47b35e7d83d5bdb5c5e6eba5ec6e29

Download Submit
C:\Windows\SysWOW64\Kncfca32.dll

Filesize
7KB

MD5
ef4681283ddf9c9c4c0cf4e43163badb

SHA1
0731877bf0a28bd5be236588398d0eea45afc903

SHA256
2f07c686e3e30861bea177ad23ff1f9cb2c046f93100132d3b0c070aaff459f2

SHA512
38735cc764e990d81bb4126c267e63ddd16646f1531961f43f0e2687d0fee720285bfb7d614579105608cec74e577240f99bc30b6d0b5cf6ad8eb009cf5165b0

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
93KB

MD5
bc948f83cda62988164303dfac35c63b

SHA1
67c045b4df645d52de6c371f5bad57b7148b2565

SHA256
9e227a51f8f3cb7f3df9a1ca34312a05160575b99705420210f281462bec1da4

SHA512
3aa6047752427a6002b08a7b9c584ae9780566bb8c3398e46c40cea0b7018880bfc08a3ee2d2c813722c46653af472dd817bb450db386175f500db9d97fc78ee

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
93KB

MD5
5c41033ade2ddeedc96747578362c95e

SHA1
fcf55888d7b32dc176b84317c80ef221686d4cae

SHA256
bd5e75e02641ff9e01cfda0a445d957ac5346dfb2a324fa12e0acbe48f43145a

SHA512
d59a482c84ca0301b0950a71cea077a5be58d89c02e6f63afe2127935313eb549535ca3e88a961ffcbd8c97c9da4d92bbbdf97fb9f9d9eaf1f04050a0c74bd07

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
93KB

MD5
171c5ff781863f8fbcfab81afd263ce7

SHA1
e61ac8ba212e430c17a63da3f0d7eb639db3b465

SHA256
3c9481a0a581292aee2b65d6b036a5ad1c0f9c56ddc91626f3a0977168b12eb3

SHA512
ca4577cd9e9234046d0889d99252940fbd30a81df9ff63ea064f4c368ac5db1df71d71b223187cd3b37c8b6278f8a5d3708c0607b5d9f307ca4c793d523c732b

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
93KB

MD5
400856cd78b6858d7921ac2db9813781

SHA1
51d4e0456c4a22805ab0524444100e799ed77aa6

SHA256
ae795da1d6f4821a550ad6d84c0586de8626c9efd9371160546e67e5feb2b164

SHA512
ea9ec4ef1243136057be2ff03ea3145438cb1ed84de5d601282c00ec69d8c397013256875c727c0ecf0c66b4a4ee82fecaf092596206af2e13af25be75f8af91

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
93KB

MD5
e36734f69bca75a7b62e035df67b7e66

SHA1
41b55357036b54b255c861581023956c81f310d7

SHA256
b16fb92d3e900e03eb73cdc2fa00e855ad0a79988fa471ab4569e91f96a2f91d

SHA512
82030424a0e8aac16c2cd259cdad0a4349344055c4630ca0415602a3c0b5257ec6ae5fdc3bb2af5da96eb5fe4f20dbd0726cd6f4370d3a6397fe4bd505d10353

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
93KB

MD5
fc59be3e135237208caef2fd90b0d72a

SHA1
616ee80fce95eb5e880d6018e6d6183d9ca4edcb

SHA256
b7cae8e60354301a431a55332a7536f5c83a9ebf4656ea094404d8e67e7575bb

SHA512
73821bf59d925a41d2cb541e23d9493fa553324f286e9e3dc6dededee9c7beabbb586008c458902267d523e63ee3c0b27c29982918fbbdcb388978402fdb80f8

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
93KB

MD5
7f6c8377fb1d40175ad6db24324c7231

SHA1
86ef99c365c3cfcb0d0558919f4a9d418fba8423

SHA256
a05a5b7374fc55e563cbc49c461a1862099c6b3ec79413fa627bc187f24afa3c

SHA512
6100a2e080629a9de0a39b64f9f4448c6cd4314f42a7bafaf3154e5c396587ea811c21afb8e01ad0d010292f52a18271623d9167e533f0036ca77553626ced8a

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
93KB

MD5
1da9424a1433760ba332fcb25b298725

SHA1
c263e0092da547a70d91ce740e391bbf61f3ea21

SHA256
26cc8fad2cca9a1097faa988edcc8252482a28f72c48cf144fac9e25203f2269

SHA512
97667e52971ccd4c27a5616c35cbc16f397a84755116576fffbad8c9edb0e230c1a77419f34e1cb7f9e963bce18240aa76da50cd278abbb8945afa3831392d41

Download Submit
memory/464-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1816-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3656-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3656-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads