5e80a917198f61fc96e15f3637a6b93151cef543b03f100df573eebd3e8322ee

Analysis

max time kernel
133s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3489cbbec9a95a348e18f442a5951270_NeikiAnalytics.exe
Size

314KB
MD5

3489cbbec9a95a348e18f442a5951270
SHA1

4c363ac5dedccc24f56d0b5ece8c519d211c4710
SHA256

5e80a917198f61fc96e15f3637a6b93151cef543b03f100df573eebd3e8322ee
SHA512

81dcc3441af864319186a8d428afce86eb4a4446798b8d92581ef3bc4e316d4f86ad1e0d5b9423385707f1f070278021d8dc21fa8c9100458ae13b896febbfc5
SSDEEP

6144:xdISpSj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:xdISy6Najb87gP3C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3489cbbec9a95a348e18f442a5951270_NeikiAnalytics.exe

Executes dropped EXE 64 IoCs

pid	Process
2524	Gcidfi32.exe
2496	Gjclbc32.exe
4200	Gifmnpnl.exe
4752	Gameonno.exe
2860	Hclakimb.exe
4872	Hboagf32.exe
4236	Hihicplj.exe
2636	Hapaemll.exe
3468	Hcnnaikp.exe
2312	Hfljmdjc.exe
4584	Habnjm32.exe
3552	Hfofbd32.exe
3188	Himcoo32.exe
1832	Hadkpm32.exe
2628	Hccglh32.exe
4764	Hfachc32.exe
3800	Hippdo32.exe
2148	Haggelfd.exe
1264	Hfcpncdk.exe
1436	Hibljoco.exe
3840	Icgqggce.exe
1088	Ibjqcd32.exe
2440	Ijaida32.exe
2316	Impepm32.exe
1956	Ibmmhdhm.exe
3884	Ijdeiaio.exe
4596	Imbaemhc.exe
3208	Ipqnahgf.exe
4840	Ijfboafl.exe
4776	Imdnklfp.exe
5060	Iapjlk32.exe
3024	Idofhfmm.exe
3732	Ibagcc32.exe
3860	Ijhodq32.exe
516	Iabgaklg.exe
5028	Ibccic32.exe
1776	Ijkljp32.exe
1052	Jaedgjjd.exe
4328	Jpgdbg32.exe
2696	Jbfpobpb.exe
2904	Jfaloa32.exe
4532	Jiphkm32.exe
3584	Jagqlj32.exe
4848	Jpjqhgol.exe
1856	Jbhmdbnp.exe
3444	Jjpeepnb.exe
3716	Jmnaakne.exe
3308	Jaimbj32.exe
5112	Jdhine32.exe
4140	Jfffjqdf.exe
3252	Jidbflcj.exe
4464	Jaljgidl.exe
1000	Jdjfcecp.exe
3956	Jfhbppbc.exe
3304	Jigollag.exe
3184	Jmbklj32.exe
3288	Jdmcidam.exe
3196	Jfkoeppq.exe
4608	Jkfkfohj.exe
4768	Kmegbjgn.exe
2592	Kpccnefa.exe
808	Kdopod32.exe
5108	Kilhgk32.exe
2828	Kmgdgjek.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe

Program crash 1 IoCs

pid	pid_target	Process
6512	6292	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 2524	4428	3489cbbec9a95a348e18f442a5951270_NeikiAnalytics.exe	83
PID 4428 wrote to memory of 2524	4428	3489cbbec9a95a348e18f442a5951270_NeikiAnalytics.exe	83
PID 4428 wrote to memory of 2524	4428	3489cbbec9a95a348e18f442a5951270_NeikiAnalytics.exe	83
PID 2524 wrote to memory of 2496	2524	Gcidfi32.exe	85
PID 2524 wrote to memory of 2496	2524	Gcidfi32.exe	85
PID 2524 wrote to memory of 2496	2524	Gcidfi32.exe	85
PID 2496 wrote to memory of 4200	2496	Gjclbc32.exe	86
PID 2496 wrote to memory of 4200	2496	Gjclbc32.exe	86
PID 2496 wrote to memory of 4200	2496	Gjclbc32.exe	86
PID 4200 wrote to memory of 4752	4200	Gifmnpnl.exe	87
PID 4200 wrote to memory of 4752	4200	Gifmnpnl.exe	87
PID 4200 wrote to memory of 4752	4200	Gifmnpnl.exe	87
PID 4752 wrote to memory of 2860	4752	Gameonno.exe	88
PID 4752 wrote to memory of 2860	4752	Gameonno.exe	88
PID 4752 wrote to memory of 2860	4752	Gameonno.exe	88
PID 2860 wrote to memory of 4872	2860	Hclakimb.exe	89
PID 2860 wrote to memory of 4872	2860	Hclakimb.exe	89
PID 2860 wrote to memory of 4872	2860	Hclakimb.exe	89
PID 4872 wrote to memory of 4236	4872	Hboagf32.exe	90
PID 4872 wrote to memory of 4236	4872	Hboagf32.exe	90
PID 4872 wrote to memory of 4236	4872	Hboagf32.exe	90
PID 4236 wrote to memory of 2636	4236	Hihicplj.exe	91
PID 4236 wrote to memory of 2636	4236	Hihicplj.exe	91
PID 4236 wrote to memory of 2636	4236	Hihicplj.exe	91
PID 2636 wrote to memory of 3468	2636	Hapaemll.exe	93
PID 2636 wrote to memory of 3468	2636	Hapaemll.exe	93
PID 2636 wrote to memory of 3468	2636	Hapaemll.exe	93
PID 3468 wrote to memory of 2312	3468	Hcnnaikp.exe	95
PID 3468 wrote to memory of 2312	3468	Hcnnaikp.exe	95
PID 3468 wrote to memory of 2312	3468	Hcnnaikp.exe	95
PID 2312 wrote to memory of 4584	2312	Hfljmdjc.exe	96
PID 2312 wrote to memory of 4584	2312	Hfljmdjc.exe	96
PID 2312 wrote to memory of 4584	2312	Hfljmdjc.exe	96
PID 4584 wrote to memory of 3552	4584	Habnjm32.exe	97
PID 4584 wrote to memory of 3552	4584	Habnjm32.exe	97
PID 4584 wrote to memory of 3552	4584	Habnjm32.exe	97
PID 3552 wrote to memory of 3188	3552	Hfofbd32.exe	98
PID 3552 wrote to memory of 3188	3552	Hfofbd32.exe	98
PID 3552 wrote to memory of 3188	3552	Hfofbd32.exe	98
PID 3188 wrote to memory of 1832	3188	Himcoo32.exe	99
PID 3188 wrote to memory of 1832	3188	Himcoo32.exe	99
PID 3188 wrote to memory of 1832	3188	Himcoo32.exe	99
PID 1832 wrote to memory of 2628	1832	Hadkpm32.exe	100
PID 1832 wrote to memory of 2628	1832	Hadkpm32.exe	100
PID 1832 wrote to memory of 2628	1832	Hadkpm32.exe	100
PID 2628 wrote to memory of 4764	2628	Hccglh32.exe	101
PID 2628 wrote to memory of 4764	2628	Hccglh32.exe	101
PID 2628 wrote to memory of 4764	2628	Hccglh32.exe	101
PID 4764 wrote to memory of 3800	4764	Hfachc32.exe	102
PID 4764 wrote to memory of 3800	4764	Hfachc32.exe	102
PID 4764 wrote to memory of 3800	4764	Hfachc32.exe	102
PID 3800 wrote to memory of 2148	3800	Hippdo32.exe	103
PID 3800 wrote to memory of 2148	3800	Hippdo32.exe	103
PID 3800 wrote to memory of 2148	3800	Hippdo32.exe	103
PID 2148 wrote to memory of 1264	2148	Haggelfd.exe	105
PID 2148 wrote to memory of 1264	2148	Haggelfd.exe	105
PID 2148 wrote to memory of 1264	2148	Haggelfd.exe	105
PID 1264 wrote to memory of 1436	1264	Hfcpncdk.exe	106
PID 1264 wrote to memory of 1436	1264	Hfcpncdk.exe	106
PID 1264 wrote to memory of 1436	1264	Hfcpncdk.exe	106
PID 1436 wrote to memory of 3840	1436	Hibljoco.exe	107
PID 1436 wrote to memory of 3840	1436	Hibljoco.exe	107
PID 1436 wrote to memory of 3840	1436	Hibljoco.exe	107
PID 3840 wrote to memory of 1088	3840	Icgqggce.exe	108

C:\Users\Admin\AppData\Local\Temp\3489cbbec9a95a348e18f442a5951270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3489cbbec9a95a348e18f442a5951270_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\Gcidfi32.exe
  C:\Windows\system32\Gcidfi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Gjclbc32.exe
    C:\Windows\system32\Gjclbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\Gifmnpnl.exe
      C:\Windows\system32\Gifmnpnl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        26⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3108
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        32⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        33⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        44⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        48⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        51⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        55⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        58⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        64⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        67⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4476
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        69⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        71⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1784
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        74⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2900
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        76⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2536
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        80⤵
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        81⤵
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        83⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        86⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        88⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        89⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        94⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        95⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        100⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        101⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        102⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        103⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        104⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        105⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        106⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        109⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        111⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        112⤵
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        114⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        116⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        117⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        120⤵
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        121⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        122⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        126⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        127⤵
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        128⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        129⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        130⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3324
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        132⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        133⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        135⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3500
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        137⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        140⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        141⤵
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        144⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        148⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 220
        149⤵
        Program crash
        
        PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6292 -ip 6292
1⤵
PID:6416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
314KB

MD5
e34232934b359e8071cb4437097e2bfb

SHA1
01872cb27768b33347baf80f153fc2dc7f2c9669

SHA256
6d57e4e322fdadd0bdbafad850c608121fa781cb546433a6cf3b216d87ffa85c

SHA512
f9418319ac0af38432745d900d884f1f9dea2a99a37e579992ef118d7f555e5396b1ab6140c6a2254b535e49be63eb5084309d78ef3681a941c825fec653345f

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
314KB

MD5
56efa142a365071c8a09575d4ef1c29e

SHA1
0994a1991bb306934225af958cd75edc207d1e2c

SHA256
a6df01a4a40ad64b13ce3846bf6dda32a7c785e6da08e083d610fc3245fff4e4

SHA512
c54f5bce70eb15295ced5ea5ed03d60c69116559c04adce5eecbd3ffd8ae56667696e5d7b84d63c24de6009620af52d9bfe9427ecae3e6c1921aadefe78c03aa

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
314KB

MD5
02ad95310efb8d79d4435caa178d9bed

SHA1
577584f0bb40d1e0ae5f901e3948c64c05a1e0c4

SHA256
8c5abe1d595770dcd09ca54089a41d9e597bc574be9b684f8fb0532f463d9219

SHA512
98a4446940630456723317b5f7fa57a1f6b6eaf8321a67327359cd14acbf4d312af38d6820c3f3d6314c4062283b43f1c06e0834fba3f1d2cd8b8e5a37362766

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
314KB

MD5
5342a8fe615574c16d5d6eda7017b2bd

SHA1
14bb942832f50cc6c275e5e994e021e18f062722

SHA256
8c9c14bcd3b3a98adc1dd53195b22d1f99f32d078374df7dbbb79ba25f4372ed

SHA512
10b042fcd3bff7a18dbd276262c1dcb25f931626e0c7fce966c400a207874d654f9ba4ef1622235ade48635feb542ac2a1f33518f26bfd539311c25e8c734e7b

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
314KB

MD5
51589ada8cdc3454d78a7d00315b41a2

SHA1
9f235635e3d6ea3ff0fb5efa27ad37ad66357999

SHA256
365519d5432cc0e100161628a434780495c0d31aa6004e6c7914b953829d84c6

SHA512
0decb1819aeb2437e304e811e2bcc09826dfe0e4990a27f7dd1ef8ab2db2a5d9367456816cba8a48ebd84dae27d664ef87d5cb8199994d62e6f5aff489139fd7

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
314KB

MD5
c7866210179f11d5269dec52441e3ad2

SHA1
e66906f74abe35824b8df97dc9140acda2786475

SHA256
54974be81b9365dc66af84cc254bbb07c089e43a60205f5f347bfd1eae69bd32

SHA512
0e2ec44bd813d905046fb25eb5704c213ee7f1fb7862fe7bff5c49db6682a3b8b0b9e7a2a95ffc117e3e0e9703f83170a4e5a747efe011961c84012f86235ceb

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
314KB

MD5
15e79fc71214d9249339070a203362ff

SHA1
6f7d3288d7a6ca280bfb5f049168b9cfd1681ea4

SHA256
be5ec69e496fac3ee04c188f60d43cd1b32780d411ef3b8b683e02c549e1cf85

SHA512
ee95c5b0b3d7dd66a0d929fe408a15950b301cdfc6cdc4e29b039e2c64d8c417436b2c5c8af1fe51424a43dfe87674620275a9cc0f4a3b1d9c7f3c37614e2628

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
314KB

MD5
f7234cc73a7eb77647f72e9a45e704b9

SHA1
8acfde4ce1f4cbe1db9e65c241cbad76b5ddc1ba

SHA256
99e6dcaad7ce3f49c7f8c2498216966ef1b71a6537db6c1fceb245302c3d03a3

SHA512
c78d6694f7331297db4e330fc58b7c7dffa646852e36ee1ec30faa7c90664205d03bc76c43ca859704493993be8269b98b8c001c63df0855d767c8570c586c2d

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
314KB

MD5
597e9d19dcb256d496865a5c5fc39d03

SHA1
20edf102777667f9ce4eef60d81d6bd8ee85e6be

SHA256
4f7751f75bf0864c716f639186e3a4e7927b62843bf4f28cd5a05904135c7172

SHA512
a7901f8a70940b2faaba4367bde8d4ca7eb7d0c6dfad04b746c80bc77d7ba3af7f8438b711bc79d71f59732e4707ea0e4e14af5490f3f822e6218a32fef0a674

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
314KB

MD5
a5c9aad88d5e5e39a9cf9ad1f599c9e5

SHA1
4652ba6c62ee9f0b1114237e110dec2a560c2f1f

SHA256
1bd6e1f1be416057ef82184228d4085af288a9fec0964901220efcbe08aae53c

SHA512
00cfc798bacf9fec617ab01cce8f107e9a305bcf5511faa32167dcd302a98ee82b9d20cfc566fbe4256664f65e4816fecf226519402a4e3c80e20cbe87da40fb

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
314KB

MD5
68885918d01e5e215a1ab864b5ac0fea

SHA1
52b50cb1bf88fbaa1df2a633d33f08438010b187

SHA256
c706baaa466dcf85e3c98d359e4d063cf94be7de72937b04b6ff7d183327f02b

SHA512
a119c3bee5446f151571aafd3d979a8e754881b6ab5f733a639d8f3901210ce4db11f0917325a3247995320250e7859383b54919ae94d1d8b2332937b122e70d

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
314KB

MD5
01b9004d16fa98ff1ebb4c8bcd3a8360

SHA1
8ee18e41515fec194df246bea75cadda36164e58

SHA256
e634ebedfea1dab1e4791033aae5fb858102facc44dd9eefed5a002661e2cdbc

SHA512
390919b974f4b5513298c239005e1d49b66bb5aa3557fc43f200a697306be02a71a86a7faff89fe997f5c3d521bf9b887616ee2791b58e7ff3b3fee6dc65ddf1

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
314KB

MD5
1f182df2605ba26b902cc179de280bfd

SHA1
083965bd512b3d8eb47ca1b4aba2cbf90a501c0a

SHA256
d8718095dc9192835a08c7d9aa7d816df0e3ac52e47c804060dfd33dea2a6aa6

SHA512
27cc1f38549d656a7ba4fba2561a7ab203c577b31e466b452baac7e5a631dadd02c89217be5c24c89df99c27946f834524815bd38ad779b1973cabeb85aada7e

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
314KB

MD5
3fc93ed402c2d6e1c2eb2118d3856f17

SHA1
ba99a022deece7ec7ecb186e4ae1e14cc2d08ca3

SHA256
c446a10cc57894ca5d0d7c4ac45f3da1b93ea8c9f4d3bbed8b67a139aa88dbe5

SHA512
609131ff410f2b521476a812a52f2d89df6aad7b8973ced6284fd2744fdf8e48b790d56760e03a7a458c1248f123c50addd3910ad9ca2e28286f3cc224523f09

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
314KB

MD5
d11b6b2d01c736ed3bef6db61ae0b1e8

SHA1
b4aa63b1aa87c06c12a7dfd92a6ce274362a6dbd

SHA256
467cb9b3ee1e9da56095dc4c5cc82710e22f21152f1a7ec5d64246d3118d522c

SHA512
9c7fa2b254c5a821fd232bb18f8bf8dcf45bd4d4cfb6eeaede4535c2bd7fccac90dea571a4bd8edad853d72f6bd23283d2ea8dc2ab431d93bde7b4f1353509f4

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
314KB

MD5
5b53f4dc489b25654dde481a9c9d0f74

SHA1
c76a4d5c1cfd48cd02405a1bf9dcc692bc50c068

SHA256
451b4d3ddedd4c642ac96778e3b684e414709abab669c4511697f2329658dea7

SHA512
aa0d2635372eb7cd045f454d755b21c585da142f5573c1f1593558bf7dfdd6fdd5342ddb13d18ba7c428fd60cc8c5af7df6550eabdfccb1b28fd2acc9e99edd2

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
314KB

MD5
149074398e93f604d0a16011b993d047

SHA1
b9f7d5f046e16e15ce868861389a504dfa4e97af

SHA256
d4d23441681685a7aa694dd537062dd36108e25ab7162a0d7919d1382a56791c

SHA512
a929b3ea521702191e0a2974dffada277c8add4a9ec78822f12302cadd0e17d097fef43a72e866293b85257b4e7421256df863befc5d2d9b5f6af84caf8f6166

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
314KB

MD5
65f9fc405afcc73358847351c0721940

SHA1
3a52b4e96d1b373377c7b0235645e832df96df68

SHA256
e753a7ab4eccb4c99d53a0984c762b6f6312e2cd6ea66f253c71c83d22acc727

SHA512
335779d8de66d7bf87bc05c87467a2d128d9233c2eda311889adfc599390077c460054ddd84d471c7615be063be59c7c06487382e8d4e5bb6410b8ac0b27207e

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
314KB

MD5
378525233c6adc94c1bbf5808b2a58d5

SHA1
8618b6588134b22735d2c1f808cf8a959e9a3d8a

SHA256
6b6d0722e2182b21df685fbccad9ea5dfda8242b35df30b38cea822aae440cdd

SHA512
c533cbe0427127b9635ebc0e8b0f3290f8989ee6176b4c6f9360380c93c8352ce680a268383efa2dbacf52eaf9b4c1681e8758c83402015e497b115034e494a2

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
314KB

MD5
9b99b48c2a4b95da3ec9ca7111e4e3bd

SHA1
637f07f53f0d8d5a18a1bbfb6f315cacef105b11

SHA256
6fd7abcaccba1efce11b65f57b49f1ae27c5c2246e41111b157c06f37eb7daa8

SHA512
5a53309a993840a37a5f5f49471f6094137e7c7475ca2474bd309ead9552a3090fc3108b71a4a329b9d361df68c3f78f640e4d95056f504ecd2819f45888e339

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
314KB

MD5
fae884765ab11208cfa5e772ea59e14e

SHA1
db051d6a5231e1cb5de3ee0a19e153dec093f90c

SHA256
d8e3a49002eaf4a9281f1c5b03a8029c1075fbd7c0203bd5ea0b5f7a6b451234

SHA512
d33b39221a899a4ce476058cababfcbb2bab62c499ee7b70b365f2e2181231fcbc645b8481786474ffd7821b368d5fabc8ee7c72eaa904c91f370cf286da4d95

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
314KB

MD5
d44db3027d4d063ad61ee3f74c954ec5

SHA1
dfe41d5cf137e494eff4565a72492d985244474e

SHA256
965153be347b3a56e8df6bbb2a87312f2c3d34667c92dd4d92cd6f955f93bd2b

SHA512
588879730875ec64c070ae2b423f5b4d1417007ac35e1cde6e5b14c7e3a3ae404d1f0e39e3d36ac1effdd944f4a8d01be72e8282dcb4050a6ed887fecb680333

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
314KB

MD5
ff54d2f504b652ad51591bb262ef39ee

SHA1
3085f6dd1228cbdf2228d5498fc356fa9b1136f6

SHA256
769b529b8a35e5e5a3219e27ebb70df2ed28cb279657d02e29f38ff0fb078996

SHA512
0781fbdcbff109442f9f80f250cd941938114e68bdd765b56822bae886a6785e66f8574d0d67d0ff0bd7bd2379877972e81a1efa52a9f3ce922de42ca9eaa84e

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
314KB

MD5
be91ac324ed4c2640948e98aaf45958d

SHA1
25569dff727ed55cf13bcac69f307785ebaf024c

SHA256
04da9255166f9d57d8731ea7855e2e33003935599238847e7a4c5ae43c3dec25

SHA512
5ce946538c4d4554996eb577545fab54863a590ba15c8f453a08083d71be25f8b69dac5c87b4206e6ebc8d0837642caa3cada6474669063ddd3b85928b9e88e0

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
314KB

MD5
f3cb5f99f042cd4bb0aeb939f091e069

SHA1
baef84bf036df6a9d5c8a826dc7c3102fee7abec

SHA256
00b8bccf1a479ae941f7626ced2ba0c8f708de674329a6f3627efe3430969e85

SHA512
56de80b986b1d480e607592a63a5983677e4ae6aec7774d88cb7c973bf6be88e9ae44b3b3f263bf390488803a3dcc417837ef554edd5ffa403b4da475e62d152

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
314KB

MD5
036391b82d8fba502c7f39d91799510c

SHA1
d82ea6416d17ff6c1cf3bf60e5478775f31d9c27

SHA256
be06b305f041848d0b0a243b2b3f1e480e57bab88d41373481a7c2b11fb2e6b3

SHA512
17bfaf7b32379073b1e838764e560e45fc039b8f596d50612992f5032a3cf3ea6d18b3e2aa14e62591c903a999696fe9ab5cba50be6f7a8ca96e590ec1d7d89e

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
314KB

MD5
546d575ba63f33ae3e54b6c36580c919

SHA1
af771c94d25e151f22961c43421f2820296e2e61

SHA256
616bf6b0e37351a5e94c929458a05547b7347c53628eb44f0a66375e3cf89b96

SHA512
01e53b9aa57f254b0a0a40e0b182b423c91f62d8caf9b83d945c0bbd91bd49a07a6ac5273944e609a748029c53518aac39a9726fc4c6afc05493a5af23e99e91

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
314KB

MD5
46977599ae8d2d272972a9115bf79fd7

SHA1
36f4c9f5e57ee74406185e9d82ab1ba233b0f080

SHA256
1b868226a24fbcdc9eff53ed35d9cbe2aa5bf91ddb3ef894837f9c2340b2de04

SHA512
b0eb68059fbbb2cefa0838502f967e2a27c91b1f91ad90e0b254e44f45440cc9a4dabf8f73e43c9a9912d96af9eff254ecf477116660c8396c7aeb1279c935dd

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
314KB

MD5
7ee0c13089eb5b4b8a46faefd458cbf7

SHA1
0bef2f5c4406a23d644fd8216a06054dcabaea28

SHA256
ec235e6e740c9f846c409f4cbd0482459bdeac6743d97d839c881803c1edf228

SHA512
c344021757d86abb4e915fdfa586c02962b21312923d86df61cd2eff7919cf37dca28a33d513de5295e907d54edd70ec639802dc0b479f307dc022bcf264af9c

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
314KB

MD5
146859919617cb35b8d0939ec66c0d50

SHA1
d4e0add1b4b681843dc7584c05871dd046b78c47

SHA256
376f14e576a925ff5e499f9869e5f54cf859d5671e7d3cd2ae29536c52628d6c

SHA512
ddc25ee9ee4dbfb8094640a150a3688b7faba15e2f67a5e0d9d686c7d237105ec1c561d12878097a59a76ac1340c7e9515ea979452df2ca2b9c4ef7fac941b08

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
314KB

MD5
586e820f351c732d8fe7082782465906

SHA1
c455b9f2964712bc317fbcf19890493091cd9813

SHA256
490cab44ef3e20019b9d65b5212ceb8ed1140878f3f24b85b8c263224ca2f895

SHA512
f0a33d686ad190e142b4faf8137a699fafacc7fa52e043386969e8284dcebbc81e63c6f856c05f3b65b6e0ffe2d17be50a917642107a52b52c70f32095ef6cd6

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
314KB

MD5
5967d59c7902892055151b3fc7cfae25

SHA1
fac21ee8936cf5e9ce7c7757d61c8b48f87cd4e0

SHA256
1ee6b3b242cdee413f90365ccd5ab98a3aa71f95bfb86dea2b14cc7680fd5f7b

SHA512
0867963c0ed3df339a9ed3471985b0eae2078d85b3ebb77c9c03b2c6820af8840ed2603e072072176c1390088215ed0b6fb402a694ee64032fc6a65132df2209

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
314KB

MD5
b3fc0a38d2b2d4ccd5be536ef55a64c4

SHA1
93d9af94a642e165217fb8c6c76420839ffee827

SHA256
5dd7b841c33f6a59da884daa67d847b7c7a4831f0f543c1b692098cfa07f26ad

SHA512
010008411f980be5f168c17efa3e0be1f9fa646022acd321aa828ac422ba5fa5e805f8dd21f71b5931be534410405b608ce45af8daf8f6a0449b0233965d27d1

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
314KB

MD5
eccdda399c3b67657d2aa91d60ea32d5

SHA1
528dbd10673f27a1e48ba53479970aff3d1e8ecb

SHA256
390ac88c3562ba856d9b90b99d31174d5dcab10e469ffc2f9ac4d720582c60bb

SHA512
13f1cb29b2ffb19491aa70b05ca80a62b8e9be46c2172b9506dd21f22708f2980234573b70b5c0eedab7603106e255c56a461b55d3ddfadfdc7f3a50397ddec1

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
314KB

MD5
239d45bec187d8d3483fd6712b73f0cb

SHA1
8ed5bc5f7ae5f1bd84ee834ece212d68ac72613f

SHA256
10ad34b94f81c6ebf2725872424ee95248865f7ac358733541730b50d2a964be

SHA512
ea13bae144dae9309f379de519ab4a18b1dc0f01bf8c86a4dff2b393fea887985c482e40b2b96153b807f293231e0a3ec300350bf798743fca64f9bffad34a11

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
314KB

MD5
e7bfd3208bf0bbd523c7fe329cce7595

SHA1
343a03d1c57642b947a625ae54f0f28576993c4b

SHA256
de7eb42380fcf190e617ccdd4c28fe60c88ad1230ce79c5267a3129eb8a0188d

SHA512
c7603e881ed4ba4a57c7be4855dfcc77df217b444a91b39060107b985f6686614e945e4490fd47e0b4d97d3edcd8cc8e1668ddde9ab2e0dad65b26795f0841c1

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
314KB

MD5
4fc3b22d463c25b8c2bb64326239a37c

SHA1
e17146a19856f2463fb85f40718486921626986f

SHA256
6a481e1eb703824e48e5c352cc5c1519640834fa2352cedcc74898df9e87db6c

SHA512
a584fc0daa9e97e1c26bd76059351ee4909ab93c9d2df080cd5aafd1621f5f64d292d27ad7a0d90a5c0878663daec51d85d378690b8a872a0e85a7cdfa16b5a8

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
314KB

MD5
84be866bee31e7f0c441ec9004939d84

SHA1
d31399b9fc195194443b2f1bf5d3912dd0b4d090

SHA256
90fb9c78e7ce019c7844e88f18920dea687aa1132506fc16eccbc02ca581c5cb

SHA512
13a0222cac45fd2adacbbb1ba1518dad5755f3818b437624f1f348829b8853d60acf5719422d4cde51b4cea034e9bf03d6adcdcba44f8f10c38d427e4e6a7697

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
314KB

MD5
e5b058982852c465d9b5f91813419909

SHA1
e63c3351285c03a0898547c49adcac549cea020f

SHA256
2e29d30852a548f76d758bda1ea0d6c6b66332f0c0bb31a68abf3e7f207440b1

SHA512
4a2717d7ce03a5c9ca387f858cfc0053b0c94f60015ff906ceac6960e0bdb9f297b0df3b256335aeb4f9dbe1525818244cc52379f68d911d7af68cd5b3854d60

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
314KB

MD5
40524ea57738085f18ca86134ff52219

SHA1
222a83d93942652571346f1510bf6b84410c67f9

SHA256
3393496e132195dd458401f082b12b054f53e5a0623be53d255aec802186aad2

SHA512
b52102379bdeda283ad2a87082a5da3b000739c4e167743c42cc3e414155d8276ba5b93b813b51dd024e849966013cda00c89455ac1d14c939d5b36483e9908a

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
314KB

MD5
ce46b887eef99d72809b76ab8f3cb7d2

SHA1
45d278006ec4e6aff674cf739f2d9e06425a789e

SHA256
9722ecdcac02c3130fb83abd7bd9423744a6424fe2fbfd2f34e596fbae4a5247

SHA512
52ce3db64dedf1dbb17a96b0a13fcf3f2ca178042217f01c8fc4cb8f38273004926348d50c99c2a58514c2878ffd6854975c50d616f81250b4c5672528801f4f

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
314KB

MD5
50b05944b10d084495009ede395b4242

SHA1
d072ee1df195c3a2cd05ec9fdc83e84820463900

SHA256
af9fd8f812cbdce66bd00da40e29e13a9164d3cabd0ad0938febb89c8e4b2a41

SHA512
7cd9d3402c4d7bc7bb40e8df65c4832e3d0a9c8d991584f1484cbcbca3b3e491a754f5190fd8288930733ad97e76816b5d8db6cbed806d2058d23debbc55511d

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
314KB

MD5
f3f13d3f2f740cf2570007cbae2078c7

SHA1
b4ac3a9a8fe62e245b9c3c0a6e2be110635d2cac

SHA256
5571a3e231a25bdc395abc960ac3c51460d3f42e4fdce54f74e9b0156cef1137

SHA512
a06da4286f9d59a6ef2979bc2c19803a605c450242deec4680f1d39ce6b9bf40a3548008fe8c80678cd9fe748424bc4ca5f4bdea4cd303ef47271a085dfff23a

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
314KB

MD5
4e2d0b65ce950896bffb6e639c23872c

SHA1
64a2c9ede18fa9e493d7925be8d102e751b1c5bd

SHA256
7434a3edfdcc8431db817f01dc75daf639eb4e72a03e74955f17e7616a86e4a0

SHA512
9c78a2d0c43b118f997511063f996ef36d5001b38da61ead77c1496676e4df3e394582b97bc865877bef24fed87fdb28b6b83238bb4add16ac0f4d9613c8a3ba

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
314KB

MD5
b443880f920df5ebb7e3b6ac49cf7392

SHA1
75d078c077654d7405a1a73ea5e192bcdbe0249d

SHA256
4a9e81e260cf456867c9e02ea1714e5e6522a33a32d2c3076d6af5e811363b9e

SHA512
f0fe44018a3813bb3529b1d5a4e5f6ec691999bea6c562053822079282525f2bbea6d0aabb62cfe3fd3525d130c6f3d44423758d3b91e60003b7b2e646629f8e

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
314KB

MD5
875c7a99ba3d551080ea43bd92bffbf6

SHA1
2b5dedac31a086054b44d9052e6b9e2a3f41c333

SHA256
1e2236f0efc3f853467b33766c116e5e8e58f8a02809113251aeaf65db212b5c

SHA512
bdd73344533d323d47811d7dc5fd4439bb8e30a08f7ffb1a6d07496336ad4b11186d196a668ff2a95e7ac0a250e173490339ce7b73a91fda9b9f63b254d49a63

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
314KB

MD5
0bbcb99844fd2ac0a875c751923f7286

SHA1
ae58a201f0a2afeed803fcc339311507cda79f19

SHA256
8740365757366ebf7df2d5efaae2b1da2574e8cd0a22924ebc550d3f8e9e075a

SHA512
cde088a98d93a2bd1c7b623ae0243fe7488c1f82dc0c6eea1f696684547b6ab09cff70f86eda2d3e7fb797024a23d331616049bfe90e462952c4101224cb5293

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
314KB

MD5
198adbae2d23e61395bb3905a9ed2b84

SHA1
77035b45be92afda924bfc8ac9b5302418b8febd

SHA256
995644e13c037a0595c81eee659a1df4ccdad7cfe62a013f3624258ec934de98

SHA512
80d98e9ff400c4eca54fc3cffdcf10f8592718d6aa4c8a4029141259f6aee7415d728c05a0da362c9b123a15bc6eb7ce98db77ccd82833af80826c6640ee2c8d

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
314KB

MD5
a8819e306507e8421592504f7e65e388

SHA1
9fcbc01e34078734c325667984f1462f7fe41feb

SHA256
6ad610e780df2c2b646313b11817bc2866b020afad78da92b0f5e6684173d9ac

SHA512
92bc4ca245f3bc3380b8df52450e41d844d6b065d3867529bbf2e450be17d08674b596174ad967aae255741071a19fe0aa14bc30c5bd3703e84173ba8ad311ab

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
314KB

MD5
d2073e438c9f6530cbe2ae25c4e4288d

SHA1
60c00b41bdb4f516239a10efcef4afcba66de779

SHA256
d72ac7ffd7dcb5fb8eccb75eea69f2820dcde6c8a2c4f3638516322f6b5afc69

SHA512
e93b0172e10e9e01820cbed44165d43964385de7eaf74f67ccdc29649bd744ce66ef298acf0571cf76b8ddf3b2b69ee309d70735fa57fffe37035f357b1837ef

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
314KB

MD5
537234155a8f5b13306d70d951e8c2ec

SHA1
f2db35e05351b42e1bbe804ac8b6190798bab8c4

SHA256
41785e8ad729942cd64e2420c89f14589e6e9fa4588366dc546ad0d9a40f831a

SHA512
f7a5fcdf66387c8fa32524b2e84fc6bf52e936e34b976c1ded52938d7756c7ec5ad10b75e6563a3e908e4e9f5e78769cdf8d847e4b686b8092db6aee1ebc116c

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
314KB

MD5
363e0ffb4de54b6699e14ae3c1dfe0d1

SHA1
6837e54631771d7468cbf195ac9b46a9c0d56c0e

SHA256
bf8c51f4efe9b3c1199ee1a1733cb3a65ae1a985bdbf3097575ec17f9993a8eb

SHA512
1b4a86d98e8cb32a088817237b4e3560d5d9a9647fc039d6dca840663054aa16bbcb80dbf792bb19d82cc73f778e6bca29ec4fb141a06019220c03abc48c69a4

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
314KB

MD5
2b606bf8e323089c1703dc1cbf616db0

SHA1
cb858ec86f7b54163db0253306c10151af546a5b

SHA256
12dcfb29397db1f5e2f8ff5a24353171cf613fdc797467a1de458a99454a396f

SHA512
4d152d4ee58fa1d47a1ce0ae904a59a50562268a6e726ce86c0f1cf30b2f24b49b1bfe931fb07fbdb457c99558dff10e0f3a21d2692b0c8aa6336fa7745eef06

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
314KB

MD5
9dfe7e475502bb81ddf4a8b7edc91b59

SHA1
f7bccc3f1f00fa8f15488d49a45bf93adb84478f

SHA256
817fe54feb83cce0dd380e6a43b7bff272b14b390ca25c72e1f023b0fe89fa1b

SHA512
337bec46b73241c4f84f984151af11280b16ded1d4a67aa70187da530ee61ac327f75e765e09b0b2d6bfa9113df98f32cc4cb8192e65a59d4b77aa876aec76a7

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
314KB

MD5
dca00b2122619a958afcd5b751dab75c

SHA1
77fae89b77481f39aabdc1bae5063204b57b23d9

SHA256
2d63e6ba38d8af060a8038284cf3da331e9a2a1f05628a7865a59574c4716ff0

SHA512
f5ce22475447eaff17ba0a9de59ab6cad66ad11f9437a30340721ba7f1bea999cd0bb409e6f26bab05666c87af6890fbbddad98defda797a5c32a7a7dd11957a

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
314KB

MD5
7244d94a9ea8efc8b0ab70eae8cacaaa

SHA1
2884cf91fcc391b77473f997f9227b476eabcffe

SHA256
0879426105112d9327c606664afaaf599c4f6c29c3d78d39ecf083ee7c0c71e1

SHA512
aa2e1ed5fa47ce37e4050ebc536afc7cb50876a03a2f6813f32c732bdc0543b14f4813a4137a041aaec00efb24f5a03f71cd56f5031ca5fc6ecc040ad1de54f8

Download Submit
memory/60-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/516-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/808-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1052-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1180-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1264-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1368-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2440-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-522-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2828-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3196-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3208-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3304-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3468-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3552-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3584-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3732-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3800-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3840-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3884-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4140-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4236-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4236-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4464-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4736-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4764-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4768-427-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4848-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5060-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5124-547-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5172-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5212-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5256-571-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5300-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5344-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5384-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5428-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads