ade673ba66908642f4f6c675ab3694afd0a4e25f2dd9d533aee2bfde3ef7f281

Analysis

max time kernel
131s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe
Size

64KB
MD5

a6041d6856f28e29300ca5af9699f600
SHA1

78c345619259280418bc97980c22658f7f003883
SHA256

ade673ba66908642f4f6c675ab3694afd0a4e25f2dd9d533aee2bfde3ef7f281
SHA512

409714da8c74304cfc5276ef9d0b9395f4f4c970e0ff3ded456f9443adc6e0d72ece217c523b95ccdffcbe7c94a4174697e6e764c223dc62ccfc7e9102ffb280
SSDEEP

1536:DqQdo6bY5yyck1BvX6XaUddx8upeuYeO6XKhbMbt2:DtBYY7KXj6dOeeuvO6Xjt2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe

Executes dropped EXE 64 IoCs

pid	Process
768	Gifmnpnl.exe
1412	Gameonno.exe
3188	Hboagf32.exe
1656	Hfjmgdlf.exe
4144	Hihicplj.exe
908	Hapaemll.exe
2360	Hpbaqj32.exe
1528	Hbanme32.exe
4804	Hjhfnccl.exe
3772	Hmfbjnbp.exe
1560	Hpenfjad.exe
3956	Hcqjfh32.exe
4020	Hfofbd32.exe
3512	Himcoo32.exe
452	Hmioonpn.exe
2400	Hpgkkioa.exe
4892	Hccglh32.exe
4516	Hbeghene.exe
3408	Hjmoibog.exe
2760	Hippdo32.exe
1260	Haggelfd.exe
2092	Hpihai32.exe
2256	Hfcpncdk.exe
4620	Hibljoco.exe
5036	Haidklda.exe
4772	Ibjqcd32.exe
4052	Iidipnal.exe
4836	Iakaql32.exe
4248	Icjmmg32.exe
4328	Ifhiib32.exe
3440	Iiffen32.exe
528	Iannfk32.exe
2600	Icljbg32.exe
2188	Ifjfnb32.exe
4996	Iiibkn32.exe
2952	Imdnklfp.exe
5000	Ipckgh32.exe
2264	Idofhfmm.exe
2996	Ifmcdblq.exe
3652	Iikopmkd.exe
2884	Imgkql32.exe
776	Iabgaklg.exe
3060	Idacmfkj.exe
4508	Ifopiajn.exe
5076	Iinlemia.exe
1712	Jaedgjjd.exe
2672	Jdcpcf32.exe
984	Jbfpobpb.exe
4384	Jjmhppqd.exe
876	Jiphkm32.exe
3000	Jagqlj32.exe
1052	Jdemhe32.exe
2688	Jbhmdbnp.exe
2632	Jjpeepnb.exe
2892	Jibeql32.exe
3948	Jaimbj32.exe
4900	Jfffjqdf.exe
1160	Jpojcf32.exe
4472	Jdjfcecp.exe
4544	Jfhbppbc.exe
4556	Jigollag.exe
2624	Jmbklj32.exe
2120	Jangmibi.exe
2432	Jdmcidam.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6688	6604	WerFault.exe	242

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 768	4172	a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe	82
PID 4172 wrote to memory of 768	4172	a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe	82
PID 4172 wrote to memory of 768	4172	a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe	82
PID 768 wrote to memory of 1412	768	Gifmnpnl.exe	83
PID 768 wrote to memory of 1412	768	Gifmnpnl.exe	83
PID 768 wrote to memory of 1412	768	Gifmnpnl.exe	83
PID 1412 wrote to memory of 3188	1412	Gameonno.exe	84
PID 1412 wrote to memory of 3188	1412	Gameonno.exe	84
PID 1412 wrote to memory of 3188	1412	Gameonno.exe	84
PID 3188 wrote to memory of 1656	3188	Hboagf32.exe	85
PID 3188 wrote to memory of 1656	3188	Hboagf32.exe	85
PID 3188 wrote to memory of 1656	3188	Hboagf32.exe	85
PID 1656 wrote to memory of 4144	1656	Hfjmgdlf.exe	86
PID 1656 wrote to memory of 4144	1656	Hfjmgdlf.exe	86
PID 1656 wrote to memory of 4144	1656	Hfjmgdlf.exe	86
PID 4144 wrote to memory of 908	4144	Hihicplj.exe	87
PID 4144 wrote to memory of 908	4144	Hihicplj.exe	87
PID 4144 wrote to memory of 908	4144	Hihicplj.exe	87
PID 908 wrote to memory of 2360	908	Hapaemll.exe	88
PID 908 wrote to memory of 2360	908	Hapaemll.exe	88
PID 908 wrote to memory of 2360	908	Hapaemll.exe	88
PID 2360 wrote to memory of 1528	2360	Hpbaqj32.exe	89
PID 2360 wrote to memory of 1528	2360	Hpbaqj32.exe	89
PID 2360 wrote to memory of 1528	2360	Hpbaqj32.exe	89
PID 1528 wrote to memory of 4804	1528	Hbanme32.exe	90
PID 1528 wrote to memory of 4804	1528	Hbanme32.exe	90
PID 1528 wrote to memory of 4804	1528	Hbanme32.exe	90
PID 4804 wrote to memory of 3772	4804	Hjhfnccl.exe	91
PID 4804 wrote to memory of 3772	4804	Hjhfnccl.exe	91
PID 4804 wrote to memory of 3772	4804	Hjhfnccl.exe	91
PID 3772 wrote to memory of 1560	3772	Hmfbjnbp.exe	92
PID 3772 wrote to memory of 1560	3772	Hmfbjnbp.exe	92
PID 3772 wrote to memory of 1560	3772	Hmfbjnbp.exe	92
PID 1560 wrote to memory of 3956	1560	Hpenfjad.exe	93
PID 1560 wrote to memory of 3956	1560	Hpenfjad.exe	93
PID 1560 wrote to memory of 3956	1560	Hpenfjad.exe	93
PID 3956 wrote to memory of 4020	3956	Hcqjfh32.exe	94
PID 3956 wrote to memory of 4020	3956	Hcqjfh32.exe	94
PID 3956 wrote to memory of 4020	3956	Hcqjfh32.exe	94
PID 4020 wrote to memory of 3512	4020	Hfofbd32.exe	95
PID 4020 wrote to memory of 3512	4020	Hfofbd32.exe	95
PID 4020 wrote to memory of 3512	4020	Hfofbd32.exe	95
PID 3512 wrote to memory of 452	3512	Himcoo32.exe	96
PID 3512 wrote to memory of 452	3512	Himcoo32.exe	96
PID 3512 wrote to memory of 452	3512	Himcoo32.exe	96
PID 452 wrote to memory of 2400	452	Hmioonpn.exe	97
PID 452 wrote to memory of 2400	452	Hmioonpn.exe	97
PID 452 wrote to memory of 2400	452	Hmioonpn.exe	97
PID 2400 wrote to memory of 4892	2400	Hpgkkioa.exe	98
PID 2400 wrote to memory of 4892	2400	Hpgkkioa.exe	98
PID 2400 wrote to memory of 4892	2400	Hpgkkioa.exe	98
PID 4892 wrote to memory of 4516	4892	Hccglh32.exe	99
PID 4892 wrote to memory of 4516	4892	Hccglh32.exe	99
PID 4892 wrote to memory of 4516	4892	Hccglh32.exe	99
PID 4516 wrote to memory of 3408	4516	Hbeghene.exe	100
PID 4516 wrote to memory of 3408	4516	Hbeghene.exe	100
PID 4516 wrote to memory of 3408	4516	Hbeghene.exe	100
PID 3408 wrote to memory of 2760	3408	Hjmoibog.exe	101
PID 3408 wrote to memory of 2760	3408	Hjmoibog.exe	101
PID 3408 wrote to memory of 2760	3408	Hjmoibog.exe	101
PID 2760 wrote to memory of 1260	2760	Hippdo32.exe	103
PID 2760 wrote to memory of 1260	2760	Hippdo32.exe	103
PID 2760 wrote to memory of 1260	2760	Hippdo32.exe	103
PID 1260 wrote to memory of 2092	1260	Haggelfd.exe	104

C:\Users\Admin\AppData\Local\Temp\a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a6041d6856f28e29300ca5af9699f600_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\Gifmnpnl.exe
  C:\Windows\system32\Gifmnpnl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\Gameonno.exe
    C:\Windows\system32\Gameonno.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\Hboagf32.exe
      C:\Windows\system32\Hboagf32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        23⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        24⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        28⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        30⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        32⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        34⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        42⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        43⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        45⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        47⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        54⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        55⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        59⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        63⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        65⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        66⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4284
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1928
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        70⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        72⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        79⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        80⤵
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        82⤵
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        84⤵
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        85⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        87⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        88⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        89⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        90⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        91⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        92⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        95⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        98⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        102⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        103⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        104⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        106⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        107⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        111⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        116⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        117⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        120⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        121⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        123⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        124⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        125⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        126⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        128⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        132⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        139⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        142⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        143⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        146⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6220
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        148⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        153⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        155⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        156⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 400
        157⤵
        Program crash
        
        PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6604 -ip 6604
1⤵
PID:6660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
64KB

MD5
d13b35c3c32ad0c4dd94ecf3c3f010eb

SHA1
4032657af96e588bdf566d5bac45625869508921

SHA256
d31ae824152a87f22c6ea1ec09282d08eea0111db2c075d21ceb5f6f0df612a4

SHA512
0baa443de826194e5b533f77c7e026da48c606f1e7e84b4542a0f0deaa6fcfc3ba02cc9bb48fc5e93b26b38d2ad635d601618b46fe68541f9c4b088a2277e279

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
64KB

MD5
7c81628b1e5f71b06e2ab9623116514f

SHA1
3b70f0a6eb23b015eb4435ad45f823f46a69f249

SHA256
3056bd65f765773da0cf8ea84cb6ee29838f0708f628f2bbb53bfb9b45aa1d9c

SHA512
d4e84327cf2cbb108bd16b6349621534c5681f505d773726538aead97a63ac0d9e1c1018b2b065d78d09ce9e0b3d707e0bfe4e965fdb6aa09c9e98f51d0687a2

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
64KB

MD5
a58a2b84e95c738b2ad4089c3ce6c1bf

SHA1
9beec90263fcd58c44cdb7e9f263c89e41d26728

SHA256
48d4ce247d3f5585919e63b4ee0d7b5bce9fd274f0ec70db44901d798623ceb9

SHA512
c7c5b3ad153eef03f87ea52a69998186320a15928b53eedb010d694bd1b00d21cc5725799f3ebd28dca6173bfd9d50a5b9496fa14358113fdf74b751ba586613

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
64KB

MD5
0d397c4f6a77baba9d8f7bd94bc4d6ba

SHA1
4bf64ab42ff65909e03b4ba08ab93a893c763233

SHA256
39cad88050e9924d19454c4b2785ce680f6446fb76ed413bc9618ac7a0e86567

SHA512
69a042480793baa21b3d9e6b784d21b78ae7c511105ff9c759a310f4f3614150e94525cf686d0065cab9f6408984c11120414630397229bbdc6aec35feabb8f3

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
64KB

MD5
3c2215e2a6ac14b41cca1a2b3d04e437

SHA1
d240fd3559877843af89da3ca494b9fd43dc69f3

SHA256
e6ae3c95db176a43664f4e2a1d9a5797189f408de9d66684c5602c65368b6d0b

SHA512
7a11b77aa7e5a47c391e9bb96268ab52e3e70c5d28bd9bfe55856f98f41cfebf34e704d88fd6274d89f9565ab34f43c6fd5af776fdcbe6623bdd28e7a8cb9baa

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
64KB

MD5
239aedc3b91aa870a5f4a7e6fbb3add7

SHA1
764fe61ff329dc4e47706c7520db56aaf9b94227

SHA256
35d57d7eff6f31c6e255a1ab7031be4f35298bb71bd4089112a3341fed06824c

SHA512
f93f6e1c39174c1088713b60255e9aefe63c95a8f050ac7bf84ed33ca242b0ab070c6205841f23c069508ad6914c2fdb8543905998baf6883f36ee44f4689967

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
64KB

MD5
07a2ef87fe5776cdce330439de8be3cb

SHA1
4393621143ca2d182ada85c1814ff0452a77ede2

SHA256
a8101d8291864b2e286e4765b0fa8a08622374cecc485a0a9193c9faed2d5719

SHA512
f45f8a14da4bfc3b9610f98e1cf9e770d1f6d83a2dc2c36ac9c2bf8ed5b32c7fa0fbc2fbbf695f854f4cba8d3572b3271b1229cae160a8739e570df110507a2e

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
64KB

MD5
cd00bc73a3767dce121fb52cef8d9f22

SHA1
ef867ad61b289ffe7c9b20151e42db33bca7ed52

SHA256
4a7adf3fb591b29428646aab876552ff6d692f18b46117817683c726c9a850e8

SHA512
bc61e5632887e3ec84ceb3808400e9a50382a6bd00751ee357fd820b7fb8f50f0c2a6c74fca3ebdecf9723cc15d185781696ac9b1e473b6c9531e1b7c2c4cd92

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
64KB

MD5
9205a62bd049463ad4d335dd13b76b6e

SHA1
0cc5b2c7595c64e217e2fce01ba9e36f91eb1673

SHA256
e0f5123214baba5703d24939495cced0c777ca8d0076a215c21fe1b369457ceb

SHA512
b9c90daa4aa243c42b37d81fad51b2964b50542f418ab926ff50f0093391637541ca187c9d55a7710f98770e74ffdcb23d4dffac73f6399d3d138058373e6a59

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
64KB

MD5
ae753a6615cb8f10b562b3821b96cea4

SHA1
3841edf2a0bb9f7e23a00aea60629b840074f893

SHA256
488ec931554b18d4692f3f30d252e1e0a0aabdae10ec826476102be1c7021ed3

SHA512
b3f5b6f886bafe26ca76206dafe5ab291b4f6b3e6755dad896065bd114f0c5269a5396f780b2d454c79baf08d0446537180196145cff1e1473ffaa1c07663a00

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
64KB

MD5
9154f935e756a68a929137c3b309a7fc

SHA1
0446ee1499941a073ff789e21ec9187b181c68a2

SHA256
c2fcbef986bda23f92f356d70173263a790d7cfca4fab83eccd3a0834fab7175

SHA512
6fefab7d5cc88e97f8492779adda799bf1acd0e82121e86e245151624caa862341cbfd4514bc9e352e53ed05013506a001aaa59c66df7c113f97bd7b9548b283

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
64KB

MD5
4b5ef2e789c2c2baf2e8b74497bb3548

SHA1
46fbd4b61057853b8d7446d8b2f50e405582e946

SHA256
9b4635e2ee9e77d707eae7139ad3fa5ab224aab7da198b3b5650eb981e9880c6

SHA512
52178e2432b886a5ebc2d022505244aafc28a0777d2fafe4dadfdc301284d44a950b6394bbc7106e047862b9f1a8e8f95032ac4751156ae057799c9a88679ace

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
64KB

MD5
91157e45e95633c69ddedfd58e420955

SHA1
16accf52f3d784474945ec6fc566948791f7a343

SHA256
270327f940d1b48bc952b0231a64ce17bc52f79d5529db501bbd40b9041d3ddf

SHA512
44cc0fc705868d16218a35d9ec6c0bded1a12cdd9b0c7f983d2df9c205ab954f620b54603204a684863cc976b875af9c7d368ca40125ca08ba0379f83d9ccf0b

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
64KB

MD5
6b3780a675309917bb93371756677407

SHA1
bcb74fb9585b32ef44c8eb1eeece068bf93754a7

SHA256
da6a44a86115f187d751f1443acd974aafd1251c224bb242f39a1fb83d3788d1

SHA512
e6920ebb58a77d7aa87093896b63368120dfc61f19f7dcbfd3e59c39887cfd4b84558d8cd3d79523c6e3587aa9e9d215970c470318362d9e4c696d29865c0268

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
64KB

MD5
746e42ce065530ac3abadb8468c0a801

SHA1
0fdcb99c45ad0642eb6f6f78a28fd9967dc2226c

SHA256
7c3fdada8d8abeae9283fa716213f03fef4b14a704d2c693fbc543fa7dcfeb66

SHA512
065824e659955ea55b590221ac1b95964abfb2da745ec327e7253d7d5bcb0edd39d20dde19d04f6fc665b3ec63bb09840fbace7ba0e7ceeb7f04c4ae35e9f35f

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
64KB

MD5
5d8ed89d8f09234241d08b09efe355c1

SHA1
80c509797585835c49c717616c5b52adaf5b893e

SHA256
7e49e712cdf0fedd776dc239b9597b3036be9be7effd00cb40736c3544abb418

SHA512
45e9b27befcad7d736c526cbfe04674f3d9e7a6c8a61d2be3099c0af3e88cabc29587d528014707f097ad7de2d7bc6bff406127953acd790423033103812ca26

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
64KB

MD5
7097739a3f9fdecef3fd2cb7406d89d7

SHA1
015d64a3bddd4739153d22240815d5a560d95df9

SHA256
781eca7ed5b82eec07f9d8b2bdda8dde8917cdee1b7344b717fdb8100969f034

SHA512
742d4d149165063929131dac2e6ed5f89fc5aeca42c492797081d83f260948aaa77ab4b38711c2bf92c9eeb220bceb11f941e5664e597664bc985b41804ea523

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
64KB

MD5
76480d5a5df965e62aca8e689c15e876

SHA1
6f68901ccff27d827d6816923263a744279de6e7

SHA256
ff3df2a1d0869e7432243dad2ccddc51158d94ad42d4c2beaf120e7ba7a10007

SHA512
09499a44b736a62b035c5c4e5b8653c4f631a30506981cedef124f9f89cec48d1cf9110ad2055c14170ed1e79a840bbbea411376bf1a53999d0b03ef7ab11c85

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
64KB

MD5
54d65a81806c5d2cc4e1d93556f422ac

SHA1
86fb116df02ada11b557d71b8d785fcc0de7f54b

SHA256
674a1ba5b229e352b1907aaa46684f22acf573762fc269328719f63e1bbf1af0

SHA512
bea3b67d52d42f2792fba6ce8f348895b9d7c365f4a0dd59fe90f1ec5ec22c4da290290acf35b4de83809bb92e3b863eb1f46909b665d30784229e379b830c77

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
64KB

MD5
9efbd14318f8fd10f4d841c999f91219

SHA1
2d5a0442c932ee1135dc11bad0a17d9a7dc71a46

SHA256
573f5dcdfd790ca84714353e971e97afe5990859a4aff6a669b8c5d1e97004c6

SHA512
22af77bc811e4946bb32178fb483bb8751ed7652b0730606bc33142b84e91d21b61839d955f77f62545e70111314581a29d5215dcc118f101848a616c6a096b6

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
64KB

MD5
a414433873b1e97e790628f6b339aeaf

SHA1
c77c58a17ab3463e3ef0d93d8361e6f32937a458

SHA256
737dcb9d5f9cc7adf3c97ad302291e190b7fe969df1fc8fe77768ec08a644b2b

SHA512
1793d466adc30d5894aece1527e3a5601efa6031bbe52de2c30f9985caa54a7dc01951bfbc215c028b0f8a7829fdb7065bc73479b430e2f47138634b05c9c290

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
64KB

MD5
fe07189bd92e976c2502ce67934ac1ff

SHA1
af9bd562d3b25af3984e7bf914d042db74a69ed9

SHA256
f84c23a218da61aab7ee52661a5852170f0cfa57285d1f9174d394fd6583c802

SHA512
7c930252885060622bd028d761d8706f894bb0d89afa85d2f6f9b32c96160004953a28bcf4742cd3111cc2557a27526523de562687f818446d97bdbf96f10441

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
64KB

MD5
4252d637130801d055d1e80b935d4e01

SHA1
5acd54ef07fde19ee9cc64e78cfe530720371a32

SHA256
3149eb9e4a8fafdd9692e431a6e56916bdcf8d3425727ddd311d26772ff06fad

SHA512
f271c0a5329f0c2ebade1999989d3c556c664ad6718c9b6eeb489f6789106985354bcec5d5f96fdff801a2369fa905b9c9b7f60e89114db1bffd83d349882ce1

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
64KB

MD5
7489d44a6dfba43d61a07cf87175fb10

SHA1
3dd11aef43682e0109d4db08fa65d64875c391d3

SHA256
b1ff57ddb0258b36e9730d13e0365e0742ae12e4059ba704b390cf92bd6ce53d

SHA512
afc560e2d6b0411b52072c8073e2e4fa056cac0f036d6455d7e233cfc4da172f6cdee6e8f815b80bfc5b905a82f47ca70aae6aaab27175b102051c840f699fab

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
64KB

MD5
8ac9996d53c789cc6461814d7c0f3432

SHA1
a72db62818a687f23db79a03d67147d8bb5f2d84

SHA256
71f1b315fe05a3f32bb6cd7f27f0c5d6dcd368a0ed7b33b3b3312829baf2df9f

SHA512
17477178b74fa9b154b9b56adacd360f415682386d4cc59b2fdad59ce63d0fb598144a659c5749676783146adb65d9b0e557f746682150fa095e28f03a50efe0

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
64KB

MD5
329274cf0695b90eb32c81a9e6d50309

SHA1
6d814f9fc9c3a49faa4c57c3f766edc4c5e6b213

SHA256
4055ab3e8afe57646add9c2b9e71a4aa6434d3e34acfde872afba0fbbaf91413

SHA512
f3ac3b495a5fe617eba1f985017a51478b93f445f1e5702006b7cb0f00615dbfc365d2997f9c1075ebfcae4d6bffd127ed2f0f78c5ce3624fc5421d38124342c

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
64KB

MD5
fffbe2a8f696f3ccdc71d410a42a0245

SHA1
b8f0ac359c3e7dd27fef140e2bebb20b803d7670

SHA256
2a8913eec222ee13b2909447324ba37a6d67bc976674e556fc5a331edbce76aa

SHA512
ebd18dd494d2552d4c14fa6391fbbed9c689e99d2fd854440d2eb7abf641974c4ae618276a708ffdb61f96d3c415c4d6a9520eba11af68b1d9b97f4bca8266f1

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
64KB

MD5
80b3c80cca353f362f269a7cd8ea58f8

SHA1
9936f6167ac8d58e4e6bac9e2e89cb40dd2f02aa

SHA256
500459170ae658e40391c3f9c00c34c6af453f81fb96257a3ec98ce0cc7865a4

SHA512
b94a173266184691cdc45525a40629c549e2a1b7ad3e6effc3548fa5c1d2751a38b72e0b9fb6d6d38d64f820e1a024a2d768a4fd000f0638e17d629c623adf0a

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
64KB

MD5
ab2f2290b716e93031da584bc4730b5c

SHA1
c24704b8b853336da85166c2f60179353414d501

SHA256
c43e812331abfb7de905ae87c91933882b299a53ff71fe8a3c655cf1ccf02f7b

SHA512
5fd1f080d4a0b4d9cc1a9763b13045caacab8c0972cd820be59ad5c1674b1b9ed6b3559a8cecfd8c22434c13ed4b9db38fff897f246c3d08f79d9b4d2b9fad44

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
64KB

MD5
9091751c86226981555f415f82888433

SHA1
065aa2319ed5bb7cf578e7e964d5fefb5c6f785c

SHA256
889191a649ed3091551451fd119e494b738f850594b108961c9a897c932ca03f

SHA512
d1f8020e762baaa006f4726a937836208f7913949a596d6c677284f6c8fdc27ea7b005b2c3581a15400959929cec606dfae2ddce3b26f4b2cf84532cce71fca0

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
64KB

MD5
ed6102623307a5b6940765b8b9071f1d

SHA1
3e75448d195777dec7c3a5227b7a12ed1c412f5e

SHA256
1429caa87d115139fd2c08693c3cbd95d50ab3416318efa77c399423db5f77fa

SHA512
a9719b7a36bff8c8066e9917d94e0a09380db186ffeb772b56f80864702459452e0d2adb142363ac5e2f45c56774c53003a407e37e73c9ae37ed9aad74a46586

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
64KB

MD5
ba76b648b3a53458b5d12f511e282f9f

SHA1
272d8b4cc233017aef801d79c8e84fbe1119899d

SHA256
820f66707dccfc6bbbf8e3e0145b94c2796c37384d65251c311a2bb1085d326f

SHA512
f06f3b75013526654057667383d3d6b294e730cefb9b5f7795db3eb159982f4e0b959bab135263af22ee712f7a2b1828db5d13ab0482d2ac8aa97c50133e2c6f

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
64KB

MD5
747ccdd10901b0f65ad9d2140d54837e

SHA1
c72b8f70b29d85df762a7cab9730d4667f8078b7

SHA256
9bc8c533d419ffc09b5709a7f84e138494fc8dc1562cdba7619ff7eb8d11b700

SHA512
0b05727fab1cbb3870ed63b37733e373a5fb2e12627270a45fcafd2f9d10c047ca6868ec0a00a22749fda304168b8f2645bc81ab9548b4f04ceea689df5c85e6

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
64KB

MD5
f90e6f3a0b9276922692c20ee3cecad1

SHA1
7aff9408db0d001326ce60c1cd674ae4bf0d4e12

SHA256
834e64569686b99c7b12db171cdca19ee16f4f2a15ee7738bffe9c7aa1b8a494

SHA512
e67a3e42553c15c6e70e871b3437b37386e67b31f817f2b8e094183804acd0eb55cfd886a5de8c507943cae40e3ea68489fe38e0474a5d874796e0c36b1b5d71

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
64KB

MD5
88f292391c5ff601afe852cd55801450

SHA1
77f0be3e45607adb85e0fd7d000eb8a845fe0efa

SHA256
7353ca4a9e9baef6125af19d73490e062a073b92efe74ea982519e1a96f95db2

SHA512
741641065f2225ed5edb5639734ed5c7a8f899e9fe22bc3b2da33bdff8cf05cec5f0b202d16fb08546ae185719d6b4b5a6afe548cd04d46543d442c74492edc1

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
64KB

MD5
7823f6f930d477489249cb325a7e1f49

SHA1
c8cba335ec48d014e575b4e2bcf154c729b4871e

SHA256
8b7676136c18b95365e8a5000ebe2f38cbd2ecc82a252e46465e8fa3c9056bc0

SHA512
984c803e112e59ffb258f498e871e44f7090f83cf114dab8c2cc296bf0634a52c4fe0a441cf7838be006ac96c1270916923ca1cdeafb819c02e4d13a81d6a6c9

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
64KB

MD5
d7ef02c10048147e4f6c8f0f7b890a58

SHA1
3d0ea3469ef7c54c67c2c4e0f50e7b264bad5008

SHA256
6cf6695d4c9bac77033105ad97e4df6ac123057ffbec60b1de6f992ecad9598c

SHA512
f49e01f96115bfef149d754b8fe4bffdb693ec4e4a711448ff754887fbb76e74909bb19ab2069cc4e23e98d8a5570d7a97738e03fd3cd53fa1ee2e851005bbfa

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
64KB

MD5
f0c17a5e28f76958639ce49f5271d3ee

SHA1
e9fe562f510d211e5a918755547afacfec4f0be2

SHA256
59beea3b5b14cd901097c158a72a9ce29a8e86d3bcff4e4b81dddf53846c3db4

SHA512
8cf6832c0d91f2e0d7ab4b0cd4c116dba4dcfb552906c656baf0dbc6a9c150d719648159f652ef0659c21ae60d49924cdc87dfed4b5594f64d57d55854332b91

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
64KB

MD5
88b94a637313800bb1c34f6b413e27e6

SHA1
47d7ebd055dfa8a1de4bc1ab98ee6a017dd9504f

SHA256
d9d81a06892d83bae37ea9526012723fd238c9e4a7956f971530fcf7a7d06ea1

SHA512
c3dda9533aad63ff69a481a2a28688475bdecf5d2261322050b2f0e4a0c84117a05d205b6efd4a082ea1d8cac322213f6aabf713b24aab08f7a39701fc3cca1c

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
64KB

MD5
c90e747a7c6fbbe607b550aebe827232

SHA1
383071d034ffc4b7e5c951ec08e9eb980b86489f

SHA256
454175c101651ca5d61c0a5852c0fbd7760f9b29c7b70336725cfccf41c3b5bc

SHA512
ecdc934725469c995167729adb222b3b544601799b91cdc7d4205384a713e6f8711a10cefc5b7b4de3d660cb35bc6d66c8a553d27e800497011170f5795de3e0

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
64KB

MD5
a2c5d261acda1a6281b2bd9742f6259f

SHA1
de932e0bdb0d6d90bf077d635dd1b6bb7c65a036

SHA256
a07d870ddbdc3affe192de5083b2a907f0711e68d5b3b351afea54473e98805c

SHA512
87dfa29987ecd4abaa439fcdf108072c82b3b231583955fd8f7f20f140cba7587e449e7a3cb899207c02b8ba4d9cfd33c32fb898d4072ef9ed6fb2b4852e4d89

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
64KB

MD5
613e288ca0e6330892b1d49910575e17

SHA1
4bc7db27cbedc5a38d42d9bf154fe2936046491e

SHA256
03b2121f3768836b356bb2967f5087b84e7ffb2e8e9ed9e65f0293c2082122f9

SHA512
d6a4b7484c608b1f9b9c18893e5df3fba66c1aa26761e016e22149554755c2c214ff6c0b7c3013e83cc8d3699a1ee400f17d0d97eea8113debeb41d9936f19e3

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
64KB

MD5
b310bab8a447b9b86b2dd248555884b6

SHA1
a7aa460a9460db2735e1767f54445e0612aa5305

SHA256
ee48c5e506c2c707ac49d24256a9187e84eb95d136854f8b8b09d002619d3c19

SHA512
5ce4a0a55d8e28e6d23d1ce7778b0d1db4a34177da71c331c954c5c4597bba4efeb61c44be2aae40234b52654772626847f565bb94397672f65048aba426acd2

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
64KB

MD5
59f388c279e25e34b7a81bac2fdd9645

SHA1
f0a4668ff3512d46683c6a9d267ec1a43987053f

SHA256
98f7b7c5385dcf898b18811a7a2ec15a9699c43d08f0380ff2ffb158ceee2aae

SHA512
6af980d7f2c4232b4ba105c44d3f92b4d4736ca31be657ad0e69fa379f9c46713cc0968dffc682f2e3a8d46b6f93bd9cd06266727b2c7d095c5c51359be9adba

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
64KB

MD5
26c2d1a1ece67577a8741a9045255577

SHA1
2558f2238bfa77783f20ea96c58ea83c92fbb5c7

SHA256
6ee6c5f9a9cbf007fccbe51c50b96bd1539b09339e39730e10c196bdc7e8699c

SHA512
4a87edb0a62e73ee123c51cdc2e4188e40135b1601861b2e9a56fee62c94266513e66b821b5f5ea79d4f4736eee0d7ab8b42bebc97cb6dc2abb9fb20dccd173c

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
64KB

MD5
2865fda5b11ce638f0e8712f687dfe87

SHA1
a02b06fede9ea65e7cfc4f9449261910d4909f1c

SHA256
19ebe3f238986c37aa6838a7bcdd8dc805276b444bd55c90f58d4bfe7b3ee1f1

SHA512
2ce03427c3e74a3945dd5092fbaedd506b329996c61f7b6d7170097be9343033bed8fe416abae8c0af9bcd94523c30a5e452a9ec646c2e14d80718716ef57d7e

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
64KB

MD5
aa7846ac80cabfa36c133c96e8559eb8

SHA1
a770d7df2d32dad9eef28aac4d88590cc045c4e1

SHA256
b142f0a0a17322dc2fe01f66abb619055271ab9de018852f071089dbb113e2b6

SHA512
87ba391e93cc06ec7c96a90fda27f3bf2d04e44459c5b1cd4d1aed33f8bc34d8ee54ebeeb1355f9973c1f43ec2db1b13d4a088fe0fddc6dbdc405a0f66d06712

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
64KB

MD5
1cea5e3f0b91252ee8c9d07f4dda061e

SHA1
a1680cde67f9b546ef2e8081a981d59ab904db4d

SHA256
a61cb5a2d4670db45b47d80668ad6e098bdf5cfcb74b3727b4a82f0ca9711b91

SHA512
5702f9d5311b4dbf096f0a99529fceead068b7093dfc88099b0f4d6f5e43b84587c8a09879b4345b1ac3fc780d6e962f489cbc1ed9595bec6f7e28af3c0f0490

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
64KB

MD5
1ce76812cee52c02ae23315100bbb54c

SHA1
28e74b03da347a0a379e770e0a4cd7bee2687a2b

SHA256
365f1aef34e422d9b56876dae481bd8fdd745a473ccd4f1faaecafda9868c450

SHA512
f1f680f4e60c5274a51af1e304f3126f0f1ce9e7adf739d2572180a9fcd6cfae9f67c1aa3534191fec81e065ed41d9ff4dc5e08a0425ccbc20c4cb39a322b288

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
64KB

MD5
8654d3e78b08ef2af1b6b8bc509caab5

SHA1
4e42c0f45a08c41808dbb7bbb62dd6924d202978

SHA256
0c6b68c151145d68826208486291ec0fbd034ae8544061657be3de32c90a9015

SHA512
ddfbace0ab5a7f69e237341d1a1d165339126f498b660b6fb2b4fe8233f9fce90b34cbbc360d9850e01a67e8d8b1a3f39a8a599ae02a9799b74d0a0de0901750

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
64KB

MD5
e4e726d1ca4025fa45ccca9c5432ebff

SHA1
33f551d974e1c7936dd04444a928e4f371b80867

SHA256
e578ba2abc3d249d611b755abbcc4149946672aba2fed41bd3099a65196f1e95

SHA512
dbbd53bcc94ffec356d812a61b46592e7eb43d415389f2336766a9562f6579c67ab449aa6ce9071a85fed6a5d28948ea089f57ad961abb07d562aab839fc3ba7

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
64KB

MD5
5cc4f1261cb7cfbdab24638553c1471b

SHA1
741204e8901e0a5bf0314e89ac1a1c5efe252fb5

SHA256
70ad800bb90f1524ab063da645a32a631b0615b9516ca8fd63559887995c0746

SHA512
8bbf8c51fd03e8fee4dbfdde0fdfd108746efe821af27dd6dda769ba0c8022a0f030b9a7946261f53e7f2b0991314f151408483a8569577d3d202d5758790a3d

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
64KB

MD5
cdf2f6dd69db50ee8971bf2802f12e7a

SHA1
bff4145a36c58a4269731557f8bf50cb12b36160

SHA256
4c1ed3d0143c70e33a450bcc22a013d184bbdaf664f992a971a290bf60282d90

SHA512
fe3d3d6bee5d73090f25ec37ba197534b6359120967ca816de465e5415e03bc59992869e5f25859884fc141efd5d196104b386041a1f97e9e294aafd55fa49e8

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
64KB

MD5
f95bfabe3f8f6547de6a0b86931e6fa6

SHA1
c9f28bfcd03f709177492e9b574041fcd2232af5

SHA256
92370d5271dbf45c871cca758c565a98ebb4d07717241227bd72d9e3d088196a

SHA512
1a03bd58053444944051be313cfba44c5998d88149170de40e111aa84e774635580ee9627b858613b523ae611ae07bcf060ed15dc4be06427c54223b1ceac31b

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
64KB

MD5
d0d855a2cba2d090a62bd2e497483c45

SHA1
e4c56610c6204a2e1675e42369ae47de6c1a28f2

SHA256
e4577e9732d2d36a216593bedb5bf3a7b1863a464b70dbcf971fa233faa64410

SHA512
a7a3b2dda930fe4b673d6cc949b9328f4bd78d444352fa6edc76f9c5e93fd9bca47bc8685d9ebb634bfcab89ba40bb22cac2d5ac011d81da16827221f20aace3

Download Submit
memory/8-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/60-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5124-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5172-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads