ab6c40c61cbbf378d6fb6e26ecf0fa1bcd10a86b9569f6c6a395bad6530717d4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920fc2b70b60fbae93d21a6a76731900_NeikiAnalytics.exe
Size

72KB
MD5

920fc2b70b60fbae93d21a6a76731900
SHA1

a82b8da7b6e5a7569c523a495731fc2375974c2a
SHA256

ab6c40c61cbbf378d6fb6e26ecf0fa1bcd10a86b9569f6c6a395bad6530717d4
SHA512

b0d287a2a106cc49996ab8e05c31b2b10adef029b5f00d2a6e67073aa799a7eaa9fa843c2c6fafa352c22eb12269ba071f59020b259a43469e796aeb89169dbf
SSDEEP

768:v16F6/3Kkqh9ZN/mX7vl0z1lgIx9zKXoZJuodiy2zlE6g1/1H582U9UiEb/KEiEo:oFmoSX83x9zKXoZJ3Vkq6PgUN3QivEtA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe

Executes dropped EXE 64 IoCs

pid	Process
4040	Gidphq32.exe
1560	Gqkhjn32.exe
4028	Gpnhekgl.exe
1984	Gbldaffp.exe
3952	Gjclbc32.exe
1980	Gifmnpnl.exe
3012	Gppekj32.exe
3260	Hclakimb.exe
5096	Hboagf32.exe
4916	Hjfihc32.exe
5072	Hmdedo32.exe
3468	Hcnnaikp.exe
5080	Hfljmdjc.exe
3040	Hmfbjnbp.exe
4648	Hpenfjad.exe
2348	Hfofbd32.exe
1296	Himcoo32.exe
1804	Hpgkkioa.exe
736	Hbeghene.exe
1408	Hjmoibog.exe
4920	Haggelfd.exe
2688	Hpihai32.exe
2980	Hfcpncdk.exe
4900	Hibljoco.exe
3316	Icgqggce.exe
1640	Iidipnal.exe
4868	Iakaql32.exe
4504	Ifhiib32.exe
1464	Iannfk32.exe
3800	Ipqnahgf.exe
3008	Ibojncfj.exe
3792	Ijfboafl.exe
1500	Imdnklfp.exe
4924	Ipckgh32.exe
4756	Idofhfmm.exe
2640	Ijhodq32.exe
5052	Iabgaklg.exe
4992	Ipegmg32.exe
4104	Ibccic32.exe
1592	Ijkljp32.exe
3628	Imihfl32.exe
4956	Jdcpcf32.exe
1680	Jbfpobpb.exe
2880	Jjmhppqd.exe
2068	Jmkdlkph.exe
3352	Jdemhe32.exe
2136	Jfdida32.exe
3944	Jjpeepnb.exe
2764	Jibeql32.exe
3476	Jplmmfmi.exe
2720	Jfffjqdf.exe
4572	Jmpngk32.exe
5028	Jaljgidl.exe
4736	Jdjfcecp.exe
2464	Jfhbppbc.exe
1140	Jigollag.exe
2404	Jpaghf32.exe
1852	Jbocea32.exe
5048	Jkfkfohj.exe
2492	Kmegbjgn.exe
4872	Kpccnefa.exe
4368	Kdopod32.exe
4940	Kbapjafe.exe
1032	Kkihknfg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gbldaffp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6192	5420	WerFault.exe	234

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4040	1692	920fc2b70b60fbae93d21a6a76731900_NeikiAnalytics.exe	82
PID 1692 wrote to memory of 4040	1692	920fc2b70b60fbae93d21a6a76731900_NeikiAnalytics.exe	82
PID 1692 wrote to memory of 4040	1692	920fc2b70b60fbae93d21a6a76731900_NeikiAnalytics.exe	82
PID 4040 wrote to memory of 1560	4040	Gidphq32.exe	83
PID 4040 wrote to memory of 1560	4040	Gidphq32.exe	83
PID 4040 wrote to memory of 1560	4040	Gidphq32.exe	83
PID 1560 wrote to memory of 4028	1560	Gqkhjn32.exe	84
PID 1560 wrote to memory of 4028	1560	Gqkhjn32.exe	84
PID 1560 wrote to memory of 4028	1560	Gqkhjn32.exe	84
PID 4028 wrote to memory of 1984	4028	Gpnhekgl.exe	85
PID 4028 wrote to memory of 1984	4028	Gpnhekgl.exe	85
PID 4028 wrote to memory of 1984	4028	Gpnhekgl.exe	85
PID 1984 wrote to memory of 3952	1984	Gbldaffp.exe	86
PID 1984 wrote to memory of 3952	1984	Gbldaffp.exe	86
PID 1984 wrote to memory of 3952	1984	Gbldaffp.exe	86
PID 3952 wrote to memory of 1980	3952	Gjclbc32.exe	87
PID 3952 wrote to memory of 1980	3952	Gjclbc32.exe	87
PID 3952 wrote to memory of 1980	3952	Gjclbc32.exe	87
PID 1980 wrote to memory of 3012	1980	Gifmnpnl.exe	88
PID 1980 wrote to memory of 3012	1980	Gifmnpnl.exe	88
PID 1980 wrote to memory of 3012	1980	Gifmnpnl.exe	88
PID 3012 wrote to memory of 3260	3012	Gppekj32.exe	89
PID 3012 wrote to memory of 3260	3012	Gppekj32.exe	89
PID 3012 wrote to memory of 3260	3012	Gppekj32.exe	89
PID 3260 wrote to memory of 5096	3260	Hclakimb.exe	90
PID 3260 wrote to memory of 5096	3260	Hclakimb.exe	90
PID 3260 wrote to memory of 5096	3260	Hclakimb.exe	90
PID 5096 wrote to memory of 4916	5096	Hboagf32.exe	91
PID 5096 wrote to memory of 4916	5096	Hboagf32.exe	91
PID 5096 wrote to memory of 4916	5096	Hboagf32.exe	91
PID 4916 wrote to memory of 5072	4916	Hjfihc32.exe	92
PID 4916 wrote to memory of 5072	4916	Hjfihc32.exe	92
PID 4916 wrote to memory of 5072	4916	Hjfihc32.exe	92
PID 5072 wrote to memory of 3468	5072	Hmdedo32.exe	93
PID 5072 wrote to memory of 3468	5072	Hmdedo32.exe	93
PID 5072 wrote to memory of 3468	5072	Hmdedo32.exe	93
PID 3468 wrote to memory of 5080	3468	Hcnnaikp.exe	94
PID 3468 wrote to memory of 5080	3468	Hcnnaikp.exe	94
PID 3468 wrote to memory of 5080	3468	Hcnnaikp.exe	94
PID 5080 wrote to memory of 3040	5080	Hfljmdjc.exe	95
PID 5080 wrote to memory of 3040	5080	Hfljmdjc.exe	95
PID 5080 wrote to memory of 3040	5080	Hfljmdjc.exe	95
PID 3040 wrote to memory of 4648	3040	Hmfbjnbp.exe	96
PID 3040 wrote to memory of 4648	3040	Hmfbjnbp.exe	96
PID 3040 wrote to memory of 4648	3040	Hmfbjnbp.exe	96
PID 4648 wrote to memory of 2348	4648	Hpenfjad.exe	97
PID 4648 wrote to memory of 2348	4648	Hpenfjad.exe	97
PID 4648 wrote to memory of 2348	4648	Hpenfjad.exe	97
PID 2348 wrote to memory of 1296	2348	Hfofbd32.exe	98
PID 2348 wrote to memory of 1296	2348	Hfofbd32.exe	98
PID 2348 wrote to memory of 1296	2348	Hfofbd32.exe	98
PID 1296 wrote to memory of 1804	1296	Himcoo32.exe	99
PID 1296 wrote to memory of 1804	1296	Himcoo32.exe	99
PID 1296 wrote to memory of 1804	1296	Himcoo32.exe	99
PID 1804 wrote to memory of 736	1804	Hpgkkioa.exe	100
PID 1804 wrote to memory of 736	1804	Hpgkkioa.exe	100
PID 1804 wrote to memory of 736	1804	Hpgkkioa.exe	100
PID 736 wrote to memory of 1408	736	Hbeghene.exe	101
PID 736 wrote to memory of 1408	736	Hbeghene.exe	101
PID 736 wrote to memory of 1408	736	Hbeghene.exe	101
PID 1408 wrote to memory of 4920	1408	Hjmoibog.exe	103
PID 1408 wrote to memory of 4920	1408	Hjmoibog.exe	103
PID 1408 wrote to memory of 4920	1408	Hjmoibog.exe	103
PID 4920 wrote to memory of 2688	4920	Haggelfd.exe	104

C:\Users\Admin\AppData\Local\Temp\920fc2b70b60fbae93d21a6a76731900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\920fc2b70b60fbae93d21a6a76731900_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\Gidphq32.exe
  C:\Windows\system32\Gidphq32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\Gqkhjn32.exe
    C:\Windows\system32\Gqkhjn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\Gpnhekgl.exe
      C:\Windows\system32\Gpnhekgl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        23⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        24⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        30⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        40⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        41⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        47⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        48⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        51⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        57⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        61⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        62⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        63⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        65⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        66⤵
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        72⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        73⤵
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        74⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        75⤵
        
        PID:800
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        76⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        81⤵
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        82⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        83⤵
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3452
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4392
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        88⤵
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        89⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        91⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        93⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        95⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        98⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        99⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        102⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        104⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        105⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        106⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        111⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        112⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        117⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        119⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        120⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        124⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        133⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        134⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        135⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        136⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        138⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        139⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        140⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        141⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        143⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        144⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        145⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        146⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 400
        150⤵
        Program crash
        
        PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5420 -ip 5420
1⤵
PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
72KB

MD5
ac179ce9f4b956ab9b24bc2400aae898

SHA1
7a7b72afb4c10af8074160bd28eb49331a52c462

SHA256
ca359744cf875cc2ece01abb4b34e74473cd9828edce005dae63b59e8e1c7f2f

SHA512
1ac837b86be729e185859f4eeab6cec0e4d8e05d070cb6b67a03c253a36979a07161e7d3b1813b2b380500cfa68b9262dacb2ef32f8deec13cd3baee2a2ceb65

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
72KB

MD5
203d078667ae74d32128788588582816

SHA1
b3b52a9eb6dce1b8862ac9c900e7261994a5b0cb

SHA256
397b6df5f10135766ac4f70730f1abde17e79bf31df5501ace83c635790e7d5d

SHA512
ae968ef94347373a609a442fa80b8cd544cc04da250bb0cca1626ed14851b1f07121e628389595bac766287738bbd3884a8a3b9cd75eb5279382c7836de216ec

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
72KB

MD5
b7b21840a8a7dfbc18e1505d75c524ab

SHA1
78fc092d9057cc5a50f1ed3222f79a028b9923d7

SHA256
c06e5b74bd68b160494ae6c701affb801313c22b9337332af597a79f9e61f3ea

SHA512
bb42eafccd750dc4db81549461fc2dde00210f09e527e46d548f25bea6e87936d1c79d2b86946991f58baa774eda2598e67ea9144935d71568eb858ec3168b26

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
72KB

MD5
7afcbd631454388f9375665b4e05834b

SHA1
4e1b9d0f14a09056be10226d49c8c78142e9adf5

SHA256
f1c36dcaa4046a955e64611dd5c782351258957f473b6731c1d10ccd2920591e

SHA512
1419e6baf1acb637a6956a3df32acab86c4774db315b7467511e7718c75946e7d274bd9930f61c1d2c8e43dcc9e89709edb9c5bd8c54c5d52b77a37a8e9a8b3d

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
72KB

MD5
c6de038c3aaa5108e5e079cf793cc1d4

SHA1
be202fa45e69a049f8d0b92204a24da45229c1eb

SHA256
ab9b806c49fef85936ff029f34d2b86b43d96aeb7d8b0324b398b651a0794be6

SHA512
1bc3e2a0d9122f953632b53197cc513421d8959095ce142f2a9ef60dd7a7b1a48b06536ee06d35bd0edf92052e2552b30de4715e90bf0cf6bba4110249b968d8

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
72KB

MD5
7226cfd1940f3ce46996fb25c29dc965

SHA1
ed91f65f0ebe46a8488f860de65d492cff654d86

SHA256
c20d9d650e09c29c4996bab2d899350077b88a050e5eb3735f1e0deb54794a8d

SHA512
6c6add34ab97ac96c01d9b51868ab40c10058583d2d402a1f792e9de07c0b0176c128e091be49685aaf0c5e85ed643781ea8501d2ed63cfbd32a0275d09a490c

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
72KB

MD5
cf9bd80eb031907b868f4e48a8f745e8

SHA1
505bb80d55085bcd6639d881d1086b0514dcbc7f

SHA256
727bc8a87dce00b1776b7519f5347b8248bead899f293b178cda09ad4129ea32

SHA512
c726d5a2321032c78da5c0ba9169efae62c30c8eb844a7f7a51143e7163cf47314d2a540f83fa8ff4e81785129a2084e554321600d475269009cdb220c8fdd18

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
72KB

MD5
be95e5cbafc8d553f97808a08ec56e5b

SHA1
5106bd67469254eed23e10f7ad14f9140234c4d8

SHA256
3ba252a42966c10e947f06f0957ce51049e24c2a853df3fa087300bf42a80358

SHA512
de8cb23f3182e355885c7d32d4ab6d6c11404f6ab40bd77b0ebb18b783f9af71e45fa4fafaad1400059045332010ac5c42fde6be2394b650d9d9b7a31a984fac

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
72KB

MD5
f5f5ed9f3b94e5cd5277f8c3887fc22f

SHA1
569b5dd89ea79ddb394197b1a2b45fee861c348e

SHA256
e87eb1fff4a7929a75d40d6195b5d4cb398f04c941bc032cd960c8891a339d1b

SHA512
3aead27416025cea9e93649be0433589694dfd2b59311487ceac43dab3c054a19742b8043022132bbdf349b1b538b88f58375fa6f919c109ebbc4a3367230dd9

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
72KB

MD5
1d70642a0f8ae8913918d74989265d0d

SHA1
5ec73fc49d5f69d89a737aba7ea6b9e591d618ee

SHA256
49cbb6b4ef7a5cc096e0f7a63c1549cb5ea981be67872ea31a3098fbf542acb6

SHA512
b640a855c1ae03dd636b5f5000ab6a94ce10929eba7db5a9c82ecc71d4fa25cc1a2867869248195eba707350d3fa907b13c30142e374c2af6c8101c9105464b1

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
72KB

MD5
22448f924394fd3d53733f656fc3300a

SHA1
8a97667bdb1e8e0740480cd6acffd5e7397311da

SHA256
00f7a44f3ff9b94de2338540f902b6baecccbec5fe69acfaa6cb1929c4a0969a

SHA512
37c0033586721fc0ac9809d454c391f77af0b341c9f75353a493402c61dfeb9c612cac19dd67af92d812420f3abe8dacfb1de01ff8953cbb2b8ab502b5cff0b0

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
72KB

MD5
9c277abb86828c2c7fa132e1973043f8

SHA1
a72a302818c29608d3cf205ee056e6483dc3aed8

SHA256
9d709dd7fd31562bee20063872d14c87619a6ae04b824c9da551b8f7d8080ade

SHA512
57ae8d5680881684ac493d1887ed99c6169273820296936bc3d0ec960068a393f8c1ae5a7b357440f9d186c83d3da0b6db63ca0f7778235fd37fc8c9058880f7

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
72KB

MD5
89c4b0b21565c865913cd01e66fc540f

SHA1
57b3c910bff15e8db337affcb160222864f62426

SHA256
fc8bd087a6753f3907fab7300a7b5536e8d2a93043f7a491f1125528f464bc51

SHA512
3b2ee6f6fb722a0524ea877e0b033ba7735baf7a0dc68fc621c792c5097dfb17facd4ef514eecf6bfd64bcbc9eef2a160f8edbdbbe37aa49f95c5723c2387a60

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
72KB

MD5
79b1853ffb93172d7994a91246d17dcd

SHA1
cd6f2cd9b825d457d7ed5c9f4a9ac8253952da81

SHA256
fe271d8277cebdd31c30f8ef317f348bbb33690fcc34fcf7c7d83ee0925f0b33

SHA512
4132d2c9108f672bd0970283d1f847f020b9721d6422f67e026fcc3ae64d9cce6c866456bf990ac936562d4da4a925b5549ca9858299663b3897963e2cf6e83b

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
72KB

MD5
58445e9f5dee689c0bfa59eda508f140

SHA1
98a1a9a4a73c86f53a32969b1e3ed501111111cc

SHA256
d19fc96b6908a21aebf3476b119f8925eea980b03095aa1e272ca03db00030e1

SHA512
fa6aba01c9c4e86e00251dc9f5711dcd02fbd0191847c750df491498c8957f2a5b5d3380f34686975b96005eb02db31bd3aca2c8e83fe011a6c1b9de929db3d8

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
72KB

MD5
e54ad7a2ea709b36cf61a090f7c66280

SHA1
8ce8ae361629b1b40cd214013d11ab3b9374233b

SHA256
ee33f2078da828966771ffda42423fca4254544c8cda1fef2c535768efa61ab5

SHA512
5de3132c0c5cb4532e0d0220fe6a5c674f0d5bfd8f7bcada054d1fe95673d321b0d0454333b9fcfb9b0bc48d66ad8c9a2438e089d4c0aa0173b6ac81fc6afbea

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
72KB

MD5
a59e404f8d0027eead2dacddcdc15e07

SHA1
c477390c66098f3b8ab92a8877161d8435e66835

SHA256
fa4de9aeda59a5e8457ad4eebffefa74fa48c75d08c065b4bd1bd990c9c5519a

SHA512
88e2bff4c78dd12ce740b1b1e2be7f21cb8698f7448aeb12ba39fa133444305c8597c38e6716d009a736684816f5a78557c37b8900f43ad81f77923363206a61

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
72KB

MD5
3f8c23d575b514dc93798b3ad4bbf49b

SHA1
2a4a83c1670d143f521f173c959422cb4d2b1d5d

SHA256
6a61de71eed503bfe91b4a7a19ad0b8e09e6b2811167ac176433b35fda87787a

SHA512
52294a47a23dec9fa9a688ff9af000b7378bbbed9d86dee7a816dad64be8832d8b254757bdd56a6a4449ea8cc1e8dd4fb4d4f5d2a5f457b7070f58aceff41476

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
72KB

MD5
c1e803b8d49bd15bbed3b6fec0bcde01

SHA1
0fc3fe3e9110ce809a9e2c817a3ee4276e8dbe98

SHA256
adc6cbc419a840e6137b69b3c65b91ab12d9d792b83de637058f976d3a6ecc06

SHA512
f9be08a436b9344a05b6e0d4c8193a35d260e55b10cd349350538a983a6af31adab9d699b81bf92d36057e3e627fc2902fa268e532cb99b527bf75af9b664e34

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
72KB

MD5
eebb1670ccc50610ebf1ce752eb158a6

SHA1
92a5b2f7b46b1e5927afb811828852132fd83182

SHA256
0008403c5272391678afca857dc1b130e24d52f3c352d7a20b4ac4eabfa1d184

SHA512
3886f026372037d4643211cb8bf39a16c4266052ac4aa9ffb8e56e1c5bb75f12dbebb4c7ce8cf0cd99990f800a38065298a312ddcb053fdb83de4672c27f3083

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
72KB

MD5
6cf16cf4a0e7b09e81116fa264d1a3fd

SHA1
e6a18ee53b62ec4b7e77d2d84645618977a764e2

SHA256
507fd28d3e35144c69e14cf6adc3f44a37dae2c6d2b46adda13ef1d25ab17a7a

SHA512
158ef4ef185ae84d72ea0cae021770109f3c58516c285bb26a3d63e7778f486a0c3134e6b00539e93122a5419e827e2102b52436b80a585909c5ffcb1c3c60a4

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
72KB

MD5
25261cdfdb4e955c42f74d5cfd679783

SHA1
d443e974b0dc81d9efe3793222932ab007d15ad3

SHA256
7a3e515e858c28a66c0718d448b97f71f2173e8bb730e51735ca01789a979487

SHA512
104bf32d2d5ebb2f3dc44da3070ab56b672bbff3a6a2db3cc02ec4003f5b178930f7bddee0c6a30890340a58c0da4be472d0c1a15b4c4e4d91b263a6f25a6e2a

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
72KB

MD5
87ef718cfc6a9368e48dbe2b566f0fb1

SHA1
37c2ee9166f9ccac2ced2ae1ff27d04de4fbc119

SHA256
37a7b0195166c870db214103d6c3a071366e2277794dff6ef4adc85caf750932

SHA512
7d74f2431559edf043acd7dcec7b7f1fb5e17289fde3911e1c91f1fd564e81fd59a319eb9e387bdd4f4c6e5e7288f3f448ac005dcf358f050ef806493818157b

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
72KB

MD5
1042bf5c5de2b9bb990be362fc7950cc

SHA1
38027a811e5ddac0ad3cd84d6fe282c01524bc14

SHA256
d3e2239f4e4423564b3b7d22d65445f271cfa07fd14a9e84834e590fca8d3879

SHA512
13656bf998df18e3067dc894fa5257dcc74731fb1eb939195b83ef4429d68abd49872061123d3c03805808d9ab15638906c2a25a18acc9d49b8bee40e52b6e8d

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
72KB

MD5
5974bc60a365684837358137eea6373e

SHA1
28d40ecd01a72c4c332f731cec0eeaa77b41fe60

SHA256
ac11970c0777d38565984ab3405c337b2b6fb5000ba33287bb090e621bee210a

SHA512
cf785e088ccc41eadd54d7e8adec152b210d11a7e2c1a8c7e836b1325716732db2fc545cd07733261708d34ea04137867a3d98d2b42abd4b0096961e33fa11b0

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
72KB

MD5
20055757ce86bbb113a56a0055bc46e8

SHA1
fc42452ca65c28da733d4afee1593c632e68bc32

SHA256
bb556305578c71eb3dca8fd2e7f6eefdfa43006bc229830ab251ef647c75a8b6

SHA512
d7d93370348a071a59335e8ef58242326f925e2b740386a6cb14323c459e9090f11b91ee2b4c842e3a98011620fa3b869740d15526de76beb30c83fe19acecb6

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
72KB

MD5
ac01b3c52be35d68b2b72b537af6cccc

SHA1
e9ffc444c1c1b0600db12100ed4c22a6602b51c4

SHA256
f5655969bde534816533df454da2971eec8c4dce6d4b1072f3809d22f1e2b284

SHA512
c5cc08ebf7227363a88ef22c9f697dfaf029345110413fed42e36afe4aac0d11a8fd4ad525ec119e0ed72f6939e094edcbdbc29e9139995eabcf8b1e2d28330c

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
72KB

MD5
6be74ccda52194329a65b2f3ff5ac8f9

SHA1
c22654fab4e06954ef31f16121b0c923dea93b16

SHA256
73fa9626ec836b91ec4d6b92b95548ef144d6db66ba94d20a9f5b80f499dd9cf

SHA512
882d5a68ee34614835e602703a4a591b193818076750e2aee70d2f0ed48345348ec4d44d6e985e0dd37de68ae33ac7960051e21ec6f9a758b59b0341b8918ddf

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
72KB

MD5
5c9cd4a29c7a6711fd7c3b0495d316c3

SHA1
e71c1ef4963634a2c32374da1fa2a6cc216c1b09

SHA256
977505cc75e8e062778dab3e726840321be998b2e2626d4c58d52f7023ca2e5e

SHA512
f610dcc1e712ce19d7c4190d07cb5fcc8cf5bd27820b8b27392ea51f548a5a4e8043b6162fc9c68680fb295c6510f5d01c0d7f64fd024d6e5ea5f2f915fa9f26

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
72KB

MD5
9a46f771a1781bfb9c72105574af5eb1

SHA1
25a33e5626e73a425adc729e62f14e1a2d33b96b

SHA256
88f506dd98ffe03d29059e6f297cd09553f8ef58c5fbff284d7e2f32b8e244ab

SHA512
6569f3b562ac85cda324100c26ce78ac6fc7599d4dfa4f6ed2b0cb3ee03846c2287409c6fd14554fc686ddf0790c098a37c61904b12394db41d6de4c5cbaf9c7

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
72KB

MD5
ad34df8d251e67e76eec9eabfb88784c

SHA1
3882b216a407b489ce600f969116f1e294c57656

SHA256
b8ea365636e9445d3ab8dd2e4837757948edb7adaae0fd0c6c8351e5d22745d6

SHA512
abd07278826251ee441673ac0fc12edd34bbb3df59bd5501317e4d44f273532faa860e8eda1c6f631c2593487e85ba7b5d75e1a39e546c20f06d97ad1a6225c3

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
72KB

MD5
a946271831efca168928a4c020e457ea

SHA1
889a1f69d558c2ceaa2b327bc069ef36020a501f

SHA256
3327c20d3ed46295a3fbe5e011c0fcb2ba47eecbc6cbb02cc7668392d9a742b6

SHA512
e14b3916b6af575acd4265cff5b107a260ca199fcf8194b63604f6d06b9ca348df655838fc2fee1d507361c0a56ea8e1769869efde7415f7c32899b606ef66a5

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
72KB

MD5
318ad861495d5101adfc957dcfd500bc

SHA1
b087d879993749681eb305e6f7982c491500f47c

SHA256
ea50d13aa82a7a8f1fa0c1869e3b0eac41daf8f626c3e8c50c732702d0ac0d4c

SHA512
51eeb09a3e5c369c53e7332504c6660e586bd2affce72d72e1c148a791f16e541a5e45ff304cf388e156f40298030cb5138f89b8f8063d2c0cacfa9b5b21d9ed

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
72KB

MD5
7258412652cff8a86e699d813263dc8b

SHA1
26ce7c3bfc693656d0fbd030ac00cbf0c496c9a8

SHA256
32032fce9ebc6f330ede26f057c2f59f81f450a51002dbf061bc427f43472ca0

SHA512
ece4e40511797716915b9e3a32e378982fa055cf89d0c85f33e1400be5dc25aa950a07d59e652af1ed8856d36d5f456b6d6f3da54390dc063faaf8829a72776c

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
72KB

MD5
f18b66c1b0e34ecdee2658dc92c3f6a5

SHA1
00dae4fe8f4f462016a593e95c09457d949a5489

SHA256
6b1c2b49a415597157c6ba1fdd0a84233afe01656b76a76bb297aa56beda3a1e

SHA512
171231ff493d1807a3c2631b7ef2c4bd79e8ef28ca5275e59ff85a1033a570b126e4cffe2f05190d45aa5f5f8aa21ac041b3b667cabaf100a25c642061456fa8

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
72KB

MD5
4fff50146d9b691c84b5dbae21573970

SHA1
ac4fb8b4770ff876622f1f9174e3cb3e1329819e

SHA256
619a18822715e46110439548fbbfe7c91e289eba9f6db495221e7026d4acf0f0

SHA512
cc66944ba0ef78da9a922c4f11ad40bf5eccb62ff50a2a170d66a6e6ac1bfdaf6477e4289ba4a6b820c6c932748c4b2d7d635a9e442ee50f3d58f22fc5de8676

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
72KB

MD5
fce2a1d8588edb05ea446d2d38437109

SHA1
0470b1bc1b7d56263d31c242b21f89b2016127ac

SHA256
bdecea7084ece4e34ef51d57a233fe47700bacff723b7b2af904f628fc180b1e

SHA512
8b557ae56b981122d047a3d45f166d03b203bb058f7e9db0e81d4fd34882069df8407774985809d86aa50b2ce087ff8d9ace5efce41870b1118b55530a63be62

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
72KB

MD5
b47b3b69bfea31e36526c5305fd97272

SHA1
0230182c56941b9a7ab43a17501d8bccfe300187

SHA256
dc0170956103e3af3bac3f9d63464b08da2ce7e394738a63c3a711f6b67d4a3b

SHA512
366430a61540df6a8af958e154d61601e6366d606811c0746d4a6c747559c37a963a7387b078d4b87b5ca2683520493b2376a2ba833bcad46a337f869db81dde

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
72KB

MD5
77fafe0a801848d371b2127b2a019613

SHA1
3806ee1738ad6d296f86fb3b4eebfbb1878bb342

SHA256
33929680d755c98d9d055eda076f7d3c168541e6837c9ca1bf75124fd6afb7ba

SHA512
3fe7026f5c5c384af5a0167e51ef0c4f6c42bd1ca31a84b5b8494f4bc65a4256eea633da4745b2f161b71671bf3a228b19f78ee623f4965f239796e8375ecc8a

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
72KB

MD5
07ce8d72ec458b7b3e7033839b613b27

SHA1
c16c885adf156d20fd3aed49ab16b6bbf108215b

SHA256
d098597e15f67b5fbd08221a18943304e58dcac27e00f7b1d52909e04f465f45

SHA512
bce14d4a94fb56d1d278b9dcef91217cb2c6a1730c005ccb82aaceb929cecaddafeddf88a7c2e8af4dd79cc6f45d055edcf0d3cfbfc0e718f2f1cabdaf8e42b7

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
72KB

MD5
830e715243796ef886cbe5beab8e3a6c

SHA1
05a47d51fd24a0dbdbe0649c2f20b6336a48f6d2

SHA256
394f600edbb83636de941a0f5cd3bf75401fd2cab74b3b177f3b23a5d7625621

SHA512
4f576ff2523014412fb3bee993c1a4b83f376ae4c6caa1b507789db797bb7dd059ee8fc281e17f4828d5fc6d3ab45c5863997639bf38593935d8b72e4e2869af

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
72KB

MD5
ecbd78353d31a51527f5458360a97d45

SHA1
d16760159401f706f4f4b5f7d75aeac40666adbf

SHA256
6d428dce48e59caf9e2953f13c79480d25e7e48278fdded125de60c47abb565e

SHA512
5a4a9d731958c29e619c773d0d1762e70bd1e122cac68b6a3c3f28e57d68b07e0b280988ce07730b78a7220d12da1d3281cb88628369cbb472e24bc69e5b9d9e

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
72KB

MD5
393f7e6779ff5e7d7b120a9ec1010003

SHA1
19584bc35439900f29c5d9c4834d13043e9e4358

SHA256
889a36a1143237a54295eea8876e6ff4e4238fed26065abf4811d80ad47e2da2

SHA512
f7d49108ebb4147eae29889116d7e7fea457120cd927361ca505794d34dda4c48f817c886306bc742ba7f662b4f6c84bdfc81ecc4ec781e54f483d773ce08201

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
72KB

MD5
f2173decb4324400325b04595734b140

SHA1
491ba097b316fa745143482519f4ddc60d63192b

SHA256
34f0e0c34e2043035f67deaeeff8e0fd315e26e2dd5d0e213846d1bdb0d5d2c8

SHA512
726e4bd63aa1fa44db4a3fdf7f82628156d7ccd5345284ebd155fb120320f47fbe632706b87535a3d39f21bfe7c05c91c6bb230cb3cae58ebb41566d849922e0

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
72KB

MD5
9021f35252b64908ec27ba2e57b4db94

SHA1
652a01ec27362418cc13792ab39aeab2c068bfea

SHA256
d5c846f45fcec7b425cbc7848bca547f6aa3efc7143731f00d04447040484eaf

SHA512
3d1e9b8e26944a940c429ccb8a541a99f043eaa716732f17204d4291fe6bae87051317a4456ea5d864d09ca5ea94d6dc5a924d3ce6a66e08eb4b74f485cea95d

Download Submit
memory/736-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1140-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1296-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1296-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1464-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1560-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1560-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1804-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1804-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2136-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2136-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2640-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2640-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2880-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3040-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3040-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-435-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3476-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3800-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3800-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4104-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4572-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4648-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4648-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5052-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5052-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads