1ec11b784618ece40eb176f5e4c877249ce68cb6b1786f09e9d0e194fd2135f2

Analysis

max time kernel
137s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 23:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

53b03f27ad7dc4b5e698dff8502bf910_NeikiAnalytics.exe
Size

108KB
MD5

53b03f27ad7dc4b5e698dff8502bf910
SHA1

78a4cfa65a13b5fbf04772625b17756844450648
SHA256

1ec11b784618ece40eb176f5e4c877249ce68cb6b1786f09e9d0e194fd2135f2
SHA512

170f5c7248ccbcae9c37c40df02adc9038b00de50fca696d53da69da7b6e4a10e7bc633961b05556ba9931ba4c1b8ccc099ab352e5dbc0f54239112ae77d94fa
SSDEEP

3072:doBrYJZcCUDOFhg/gI+GFFcFmKcUsvKwF:dohCZcCZz8+GlUs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe

Executes dropped EXE 64 IoCs

pid	Process
2564	Hmioonpn.exe
5020	Hpgkkioa.exe
3260	Hfachc32.exe
1588	Hippdo32.exe
1512	Haggelfd.exe
1960	Hpihai32.exe
976	Hbhdmd32.exe
684	Hfcpncdk.exe
1700	Hibljoco.exe
1672	Haidklda.exe
3436	Icgqggce.exe
2768	Iffmccbi.exe
5000	Ijaida32.exe
2308	Iakaql32.exe
3760	Ibmmhdhm.exe
2952	Ijdeiaio.exe
4036	Iiffen32.exe
2080	Iannfk32.exe
3288	Icljbg32.exe
764	Ijfboafl.exe
3572	Imdnklfp.exe
3312	Ipckgh32.exe
1964	Ifmcdblq.exe
4552	Iikopmkd.exe
3504	Imgkql32.exe
2976	Idacmfkj.exe
1452	Ijkljp32.exe
4828	Imihfl32.exe
3244	Jaedgjjd.exe
4212	Jdcpcf32.exe
3496	Jiphkm32.exe
4148	Jagqlj32.exe
5004	Jpjqhgol.exe
4992	Jbhmdbnp.exe
1652	Jjpeepnb.exe
1712	Jmnaakne.exe
8	Jplmmfmi.exe
5012	Jbkjjblm.exe
4464	Jjbako32.exe
1488	Jmpngk32.exe
688	Jpojcf32.exe
1828	Jdjfcecp.exe
984	Jfhbppbc.exe
4800	Jigollag.exe
2324	Jangmibi.exe
2632	Jdmcidam.exe
2008	Jfkoeppq.exe
2368	Jiikak32.exe
2568	Kgmlkp32.exe
3984	Kilhgk32.exe
4780	Kacphh32.exe
5024	Kpepcedo.exe
3932	Kdaldd32.exe
1708	Kgphpo32.exe
1996	Kinemkko.exe
4340	Kaemnhla.exe
768	Kdcijcke.exe
1200	Kgbefoji.exe
4028	Kipabjil.exe
3012	Kagichjo.exe
5028	Kpjjod32.exe
3256	Kdffocib.exe
4520	Kkpnlm32.exe
2044	Kmnjhioc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5940	5248	WerFault.exe	213

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 2564	4444	53b03f27ad7dc4b5e698dff8502bf910_NeikiAnalytics.exe	82
PID 4444 wrote to memory of 2564	4444	53b03f27ad7dc4b5e698dff8502bf910_NeikiAnalytics.exe	82
PID 4444 wrote to memory of 2564	4444	53b03f27ad7dc4b5e698dff8502bf910_NeikiAnalytics.exe	82
PID 2564 wrote to memory of 5020	2564	Hmioonpn.exe	83
PID 2564 wrote to memory of 5020	2564	Hmioonpn.exe	83
PID 2564 wrote to memory of 5020	2564	Hmioonpn.exe	83
PID 5020 wrote to memory of 3260	5020	Hpgkkioa.exe	84
PID 5020 wrote to memory of 3260	5020	Hpgkkioa.exe	84
PID 5020 wrote to memory of 3260	5020	Hpgkkioa.exe	84
PID 3260 wrote to memory of 1588	3260	Hfachc32.exe	85
PID 3260 wrote to memory of 1588	3260	Hfachc32.exe	85
PID 3260 wrote to memory of 1588	3260	Hfachc32.exe	85
PID 1588 wrote to memory of 1512	1588	Hippdo32.exe	86
PID 1588 wrote to memory of 1512	1588	Hippdo32.exe	86
PID 1588 wrote to memory of 1512	1588	Hippdo32.exe	86
PID 1512 wrote to memory of 1960	1512	Haggelfd.exe	87
PID 1512 wrote to memory of 1960	1512	Haggelfd.exe	87
PID 1512 wrote to memory of 1960	1512	Haggelfd.exe	87
PID 1960 wrote to memory of 976	1960	Hpihai32.exe	88
PID 1960 wrote to memory of 976	1960	Hpihai32.exe	88
PID 1960 wrote to memory of 976	1960	Hpihai32.exe	88
PID 976 wrote to memory of 684	976	Hbhdmd32.exe	89
PID 976 wrote to memory of 684	976	Hbhdmd32.exe	89
PID 976 wrote to memory of 684	976	Hbhdmd32.exe	89
PID 684 wrote to memory of 1700	684	Hfcpncdk.exe	90
PID 684 wrote to memory of 1700	684	Hfcpncdk.exe	90
PID 684 wrote to memory of 1700	684	Hfcpncdk.exe	90
PID 1700 wrote to memory of 1672	1700	Hibljoco.exe	91
PID 1700 wrote to memory of 1672	1700	Hibljoco.exe	91
PID 1700 wrote to memory of 1672	1700	Hibljoco.exe	91
PID 1672 wrote to memory of 3436	1672	Haidklda.exe	92
PID 1672 wrote to memory of 3436	1672	Haidklda.exe	92
PID 1672 wrote to memory of 3436	1672	Haidklda.exe	92
PID 3436 wrote to memory of 2768	3436	Icgqggce.exe	93
PID 3436 wrote to memory of 2768	3436	Icgqggce.exe	93
PID 3436 wrote to memory of 2768	3436	Icgqggce.exe	93
PID 2768 wrote to memory of 5000	2768	Iffmccbi.exe	94
PID 2768 wrote to memory of 5000	2768	Iffmccbi.exe	94
PID 2768 wrote to memory of 5000	2768	Iffmccbi.exe	94
PID 5000 wrote to memory of 2308	5000	Ijaida32.exe	95
PID 5000 wrote to memory of 2308	5000	Ijaida32.exe	95
PID 5000 wrote to memory of 2308	5000	Ijaida32.exe	95
PID 2308 wrote to memory of 3760	2308	Iakaql32.exe	96
PID 2308 wrote to memory of 3760	2308	Iakaql32.exe	96
PID 2308 wrote to memory of 3760	2308	Iakaql32.exe	96
PID 3760 wrote to memory of 2952	3760	Ibmmhdhm.exe	97
PID 3760 wrote to memory of 2952	3760	Ibmmhdhm.exe	97
PID 3760 wrote to memory of 2952	3760	Ibmmhdhm.exe	97
PID 2952 wrote to memory of 4036	2952	Ijdeiaio.exe	99
PID 2952 wrote to memory of 4036	2952	Ijdeiaio.exe	99
PID 2952 wrote to memory of 4036	2952	Ijdeiaio.exe	99
PID 4036 wrote to memory of 2080	4036	Iiffen32.exe	100
PID 4036 wrote to memory of 2080	4036	Iiffen32.exe	100
PID 4036 wrote to memory of 2080	4036	Iiffen32.exe	100
PID 2080 wrote to memory of 3288	2080	Iannfk32.exe	101
PID 2080 wrote to memory of 3288	2080	Iannfk32.exe	101
PID 2080 wrote to memory of 3288	2080	Iannfk32.exe	101
PID 3288 wrote to memory of 764	3288	Icljbg32.exe	103
PID 3288 wrote to memory of 764	3288	Icljbg32.exe	103
PID 3288 wrote to memory of 764	3288	Icljbg32.exe	103
PID 764 wrote to memory of 3572	764	Ijfboafl.exe	104
PID 764 wrote to memory of 3572	764	Ijfboafl.exe	104
PID 764 wrote to memory of 3572	764	Ijfboafl.exe	104
PID 3572 wrote to memory of 3312	3572	Imdnklfp.exe	105

C:\Users\Admin\AppData\Local\Temp\53b03f27ad7dc4b5e698dff8502bf910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53b03f27ad7dc4b5e698dff8502bf910_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\Hmioonpn.exe
  C:\Windows\system32\Hmioonpn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Hpgkkioa.exe
    C:\Windows\system32\Hpgkkioa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\Hfachc32.exe
      C:\Windows\system32\Hfachc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        28⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        30⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        41⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        42⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        43⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        44⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        47⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        54⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        57⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        58⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        66⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        67⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        69⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        71⤵
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        72⤵
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3588
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        74⤵
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        76⤵
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5080
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        84⤵
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        85⤵
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        86⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        87⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        88⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        89⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        92⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        99⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        102⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        103⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        105⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        108⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        111⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        118⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        119⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        123⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        127⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        129⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 224
        130⤵
        Program crash
        
        PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5248 -ip 5248
1⤵
PID:5808

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceaklo32.dll

Filesize
7KB

MD5
88e1670e8d006743459a3d1263d52537

SHA1
366a938f701954aa3bad162344430018cf1f9505

SHA256
65c9168c2fdd894073e3920e2822254a21ba54b1f3d353828022b55e00e0bf62

SHA512
06b7986adadc79c105dc874790b2af3cf50dc5929487b06051aa9c6063e1b6d2db3eb5e65dd1e5642aab2616c34d45f7e1a77df1622f92aeff6e8673ed627408

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
108KB

MD5
b38fc23c946a02edb412a842c1aff741

SHA1
421069748287deac6316df519b0bce8d32870d7f

SHA256
31cd58241af37d6f48461df120114eee7ee5d98d080389b107458c6954a1788d

SHA512
583f7ae682e62ff4bfb0e9603d556253678829ba6af8ddbbb020323f589e6e308b31adc571a4aa54b774ed594ab52d8224c895d653027a80f709b61f03af798f

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
108KB

MD5
f205bd9d9a6cea0310ae9b8823b01cbc

SHA1
a1aa5118ecad54bf4c3a0092e6b121fc6cfdc87d

SHA256
76d85eaff6c68fb2e86652387533f97566206b756d8558b90b7691fe9d6b08dc

SHA512
d8cee08fa44a7331e3deaf6d4555cfc9fef2b5c98f0a616321c6089533d8ae32dbf0ea629d4fb4b430690e24b728345eea80ed25aa7df94724d9c9bd8f3b2606

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
108KB

MD5
c62da624a61a2b708607e403786ceafd

SHA1
22ddc65349ed0186fcd3deaac2410277627583bf

SHA256
8c19def5beaf4918cca11fdeda3239dcda336c662a3ccda406ebc0284023192d

SHA512
9a87f36f6d60486c31277475389a5356cbc4d38dec5957461b223c93fe432918ee097f57bd3699751ede492cfcb70127aa99151ab6a29ce1883b0a255159d255

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
108KB

MD5
cb79566185038cc9dd075214ef71dccf

SHA1
a5d807940f491ef181700fcff7b065feba7a7d9a

SHA256
a303801468259512b9f6901d5c279f3efeaa6671085d159adb5df6406fdf1d46

SHA512
b0fc6413391b1898475342fc89b349fa78002498d721efb47a4dfa6839e6afa470a33e9a94b7c8fbabfb8d24dbd168b2bdf1f28a60b0f2cdb043ffad0895a43f

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
108KB

MD5
683958e5f7a316d0dd517924463ce10e

SHA1
7f91cb76e0cf457861390a1cc0003947aa7373cc

SHA256
1af590711b1b11d8138d3acc4c2094d61e6f86f8e27700bcba94fbff8cf37a77

SHA512
a23ff5f492e1fca95a36870c9cf54ed54ef73e87d73a1406da19fa435276de2b868c6bdec3369ebe0cfe9dbb0bda8148a7ec9c30fdaead1cb33a7a06ea296d01

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
108KB

MD5
bee837fd5c1502064e4a312d06e77246

SHA1
29aa1eff93dec4f9f938a31e27eda16b1b77b210

SHA256
b77933a245e2444d411547053f93eaabf60b9ea5aaf72098d38de44d7d5b5fac

SHA512
7db378570d6fbf23a7e8b33874c4280abdaef499858c5758ca5872f219de216ebd51cf318d69f80a0afa1a15bc2e47ed33ac5e34724608bc2f7d9d14eb54aeca

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
108KB

MD5
91c48000759df4ec5444d7ae8200b1f2

SHA1
5cf1d4f703c8688ac8718e9cbe94822902935968

SHA256
10444895481029ea55331467c244e55d47e736d15098960637f34122d4f93bfb

SHA512
7f8aacc41890943c2f5a9f8a454ac4c2394b883d5381f3d453bbb0560d365f7525746b8e0a76a1abdf4925611a5b5e00f5db25f73eeb3e8b733163662fcf9ce4

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
108KB

MD5
48b04a88f6b048831b2471af1800d0e9

SHA1
8427b92fa7b52c6848ad3bbb6bbb894f108ab400

SHA256
3ff8d3fad557792205c9971e1b0739beddfe742a51a0eea52ec06684a2b6529e

SHA512
75b0e37a8fbe0eedb779fb6703afcb5bf072e3e29664fcd3e59ab22ecbd01fb3dffa1f5c595408c5fa5733bcf0f7137a1e2c41d0d421a4d9adcd926710537649

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
108KB

MD5
6070e4cc78c3c67fdc3c540a5cb1c601

SHA1
dd460114efcf364cdaa5a46854a8e10ad01443d4

SHA256
51b7253b0adc163fcbd2326f3811ffb6453a939471b3b299052c3eb13243cd4b

SHA512
447dd932e4ad34d8e3031031d7716db817f819e4e1b1915a190598185bccac7d0e6110c3d7d6e4df21b21c3618949aa9deb0ecde92b39f5232781d0f5359d1d5

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
108KB

MD5
26718995c987fbfd260bd0d0ca5bc3ad

SHA1
a95fd01487632f110ae6dee1ad9140dec95af6eb

SHA256
019256df0594bf1698da13488c0b68b28160f60cbb4f355334d7b772fdb2bdb6

SHA512
00829d89a0a2c85e9a02616448821a98a535c6cd9dc93dfbad6c512d72ca809d0b9ec9c21c4c352c077776537c569c24dd44382ff2ce1d361083694153fd0da7

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
108KB

MD5
8f6e74821ca11c4ab2e8491ad6a9409d

SHA1
75270392f899f347e263445516556a489d4bb776

SHA256
e34146c0ba9dde956edd9b08283ad3dd385a2dd53ee07ad6fcb8e3415cc1004c

SHA512
f34731eca7818ced7dc5fff5dedf0e107ef9638067256e6ad96ec4020eb667221845d5cbd9486a2b5ee1dfb1681554621feb5df44fc639808e1a39d98e95702c

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
108KB

MD5
9c6567727ecf349529df7e6a6005ecc5

SHA1
8b40a4696320701d6f75763529dc5c174cc1f546

SHA256
3284d041e42a39f583fba60d84e2e345eab0bd482c13901c12e65500cca4f8e7

SHA512
27440d4a202e3e3fcb2cabe41bc77b9b5184f5d93d3db32a268547897c03c6b678a590915b82212d8072d1e406d68c33323c09c52bcfa27c336b82bb9aea9448

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
108KB

MD5
6a2823ed6836e5ac18230c4cdac3b75c

SHA1
8c9bbb2ea89d217f46d3e3a20962c80ceb87c7b3

SHA256
10f5ad1e607958dbd6057ce714e86a2f5625438f2a65834c50f10cff87e9c3e2

SHA512
ec5b6a8db37f2a37cecd04cc17911bd200c756149ef8eb7b0db3aa46aeb77c837c483df3cdf7a38ac489932b1ddd9ce87da300524c0a3fa99a7f8a16df769ca8

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
108KB

MD5
14b905302c4c5fa08e260cdd65a02f33

SHA1
d75cc7c4a1a3734c36512b06b4564fcdf5cd3918

SHA256
8ee21b8f27bf48369c45e5a17a8a565d1dfaad0ae3ccf0465e3e9554146d0f8a

SHA512
27b6e01dfd51a5f35a9488dfc736c1b4a859377ca193d907be6ac4fe798a6752927c0fac4f2c822ec894f2803ec0b6fab5e3d3c3ee7cc4aff2d1d2ae25376f2d

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
108KB

MD5
f069ff11313436475d81ff803cf16282

SHA1
e78c9dc43cbd8211791dc438d1b262f447b0c226

SHA256
d1eb83353884c55fc597d1ec2b72a45296e72dbce8e3a1119ae969993241f1cb

SHA512
a2c9def17f0d86e72ba125c8223391a9702f205e40a89db2ecfad80647175cb7797a1a72bc18da57fe471450c66bc81836e1eafb3d67de730a5e7395ed55f97b

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
108KB

MD5
62abae93de70f6daad1222bb2d257bfa

SHA1
1251c27eb273b579d96bfa80b952d5ed29e5d1bd

SHA256
5d8197cb7f5c4625ea9bb66afd8d77fdbd1262ad89c2da0f345dab4a132c8c34

SHA512
e970ca0028801f92b5e752f75474708fdbd687947609cf2b2cd8a96f75a8f98f65c148f9f8a084d7dd29b71cb89fb23fbc9a5d11b8c6239c47d821b84d85aa71

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
108KB

MD5
a1cfbb337adc1cd8d7e14fbde31757bd

SHA1
89543e448e6b37ae3c679200da538013250d2eb4

SHA256
b781b3a906dd60f0eb00d19c81060847f01b28c3273e825e109ece658c169a87

SHA512
e0f618c2de8e4c2dc3bc5b5f7cc38b017f8ee0ac9382ecf26ef738ee4caf7e73e4dd2c3610b4a5453e016e7bfe185deed067070925e865a003ce27834c2346b3

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
108KB

MD5
435c0e2112b1b432e378d7448b6def4b

SHA1
2313213f9999e90cd49760f124aa8f8cdbc6c7b4

SHA256
506e523a1e991d3f50f0a3f88eb028701cd18d148fdd7bf797910c4789cfc994

SHA512
bd14ad9f5276198087a08e4d49b974acba3f41bfe1198bd95890e50bfa6924b5af8018841342dc5612b2aeec57736ccfeee46f8e887c17fe32dd790c2438f3c1

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
108KB

MD5
e33f4989d17d3546ec1adb843a2b5cf1

SHA1
1873ccd77fb5ca9a3cfd387f282052af45f7b2a1

SHA256
e81506a3cf403ec91e2d119ce6babb2bcc6f8f605db9b63033f690cfafba629e

SHA512
32f294ccee071a61aed5520808ee9f45f1f08a773d1840a4e353dd6069e5830a397cbee418d9e158617f629890fae0eda0bf967494403d1e0227756e6fc22037

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
108KB

MD5
d9ef72de8e741b2a38494a562870ffb4

SHA1
0c6b8417dd4a0b78d017a512096de2deac0fa28d

SHA256
16320269593dc50e41dc4f38febc4dad47790b4bb934d8f00be36a6732641699

SHA512
d1f61af06bc6edde01e2ff742898f41b5f096fbb6ee0398dcd23d1c7f147c167e7a2395cb4329db948846076566aaca85b469068faa78827328a1316292058c7

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
108KB

MD5
a18b0fb0e75f19fb64bf262969681dcd

SHA1
13102be0d7cfad8eed96ca4b4eafe083aa7a8792

SHA256
88c0266b46899a1f63ee8f5c76322a7592e4fc78650a8e2e1d4fb735c6304393

SHA512
68cfdd86a20e3ee5450515b88b5a7631947fb35d95683de0520d7138ef0e85c355f8572c8d6750bdbd76e22bba524a619743908e514efccde7d2c936e1aee152

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
108KB

MD5
402b698f1d02695b3f982d9bd61a1202

SHA1
dd931632c41b727618607c6ac9f9a855eec2d303

SHA256
bd020b928e4a0528c876848b82d65d25c127787a6e7c5a9780ebe98df84ff07e

SHA512
c7330e1fd22abf84ca74af877a633bd96dcd7e774e5e53f849ff39d4ee3da5c209a31b2227b74bef770113528d9ee7420e98c5f2d7a0c5ad413a94acf343804c

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
108KB

MD5
90c5fb6e3047779b9319b418752ee3ec

SHA1
ef07da0b3a78fab39ba44c4b3e68e0bd16772c93

SHA256
4945b3b68292a098b45195b1a5cc926c80034414b4ed88edba346cfc147f4a4e

SHA512
bbca1b657650a0a0aff9ad7d1bc3f5260e74428017e70df45a069c4b531fc4715fea02dfe0a37c5086ae1c5d2d2297d075d34b5c7603561776dc99d546dd5e28

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
108KB

MD5
b6cf1af22bafbb55be7a31839f12c953

SHA1
83748a53597ab504f8e4f467cb8742b372e69f79

SHA256
b54a96645d7d7d4af281d0b35ded585197c45a0ed57c5276b570ce15509c5c56

SHA512
359f4a2f107d6b56e1c4b7e4c577cabf1c4ff64f40691c5c5b84eb383ee730172dab16fc75a28ca959ee8efc610eceb024e0edf04a54749e2eaf141a3b0e7e63

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
108KB

MD5
d378692934a0e3d79bc059cbeb953038

SHA1
d5fec14e3cff3d8a57cc9c211109d856488f8918

SHA256
0fe67b8c747d33dd571137476e03e4fbad7a25f9282df3863fb661d97c807a8b

SHA512
e0de1e09d3a7c350842c41858076248ff9a97c445e3b5f41a0d52b9cf85ac3b0d78485dfc45186e1e06f5a0b030ce7ee16bbfd95fc336dd9ebac80a178c47b09

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
108KB

MD5
3b418769b2c29b833acca710b571c255

SHA1
e7951224961c0a95a2a6a9babed27265be4b52de

SHA256
3980165e3730225ec58ce7c2a4f03c01ea2a13019e9e574752bd49bcf077b9e5

SHA512
fd2af6dce0cdf46093ba53d9fba63ad47b0ee0d4a5692b4bacb5fd844ac5b1fbd68a8925f629587c619257ca4cc520db15889134e4df96bd45ca5c902600b5e2

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
108KB

MD5
9d0f01054eaed9b159f7462252f70407

SHA1
7abac331240df93e2b428e164a64c44880748849

SHA256
7f99bb6c9f030ac81cf055ca5a7d353d948b732eb071e43d98fb1b34cdffe397

SHA512
0b244b6f667fa2d544b80cb4775fc02fd53f76d077c1632646b45b187a3862064c0794de9de0b69532ffb81b6c1e039c7cfae61993a410f8dfa57bcd33f6d878

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
108KB

MD5
1eba9b61638f551d6eec4479733270c0

SHA1
6f6b4e4b1e6028c59223654377c3357796643ae4

SHA256
1ca80b448ef0e064b05a151e29919d88ef24b59d42cc5941e2a3a8363810bbd4

SHA512
523ac3e2c1136be2f892bd030cb715ee67e3b4161e2a847727135cd3b4f92231ad5c154d68c6ba7e9b8af5f3d7f46557cb947ee176d68e183c93cd87ffc8b0cc

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
108KB

MD5
a90b2a4f445ee56c53f47631148201ca

SHA1
b185a81518b321d3348e4de6b5af05fbe4fc702e

SHA256
0a9b50948173e9e59b6b645a0472095f8fe10a84d81cd1f925d48ae91915f441

SHA512
ccde6c57180a4e8a2ae01057fcdc28a8fcf65a7052cf281432ca80f8514b383b19a4e0026f513842acc8d0e356f0bfb1da6e89a718ca7e5424cb1cdfa52c8042

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
108KB

MD5
ee00df727b58c0d620136bab2d42e9c0

SHA1
10e5d4903c69bae78d6934c28dbeb80081b7e820

SHA256
f051f5a7dd42fffe53e49539e7af0dc5d89408964b6749abdfbfb954dd5084ee

SHA512
b3c908aa4799b9c7676286126695f1046529bfe3a4d549ec498f64955f51cf8cab82fb84b87e56df59421c22d495c2ff8e59ebe7501bbe41f28ee36265168ea2

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
108KB

MD5
3ce18775114d603320b189ea50950030

SHA1
8bdf99e644ea5cd06977d0c3d4f62bfca17a8c93

SHA256
960c2fdfdd517b0164179019be0a242c7cd8a3c8b7b58ffd43631d43a38fc4e4

SHA512
ecc264350fbf9456f34799adff5c7fe2a584a3ac51b391b353884717878563aaed3023f6b95ca0a696c94f990ec55a899dbe60e68703babbde22e086f2f2765d

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
108KB

MD5
aeff5d60305763d1845c80ce68386405

SHA1
f233963b3519aa1a84327acf58925c5a29617e5b

SHA256
dc59165f3a6f55f3e427f4b89e86bead987e1d6a55575dcd429339213d9cb8e9

SHA512
6860606b7651f4156606b49729f5f686c1f49295fb73ae3138e2ae1bfd6fa1e0dd15012308ce182fda75900e62e78d4669d65e602d0c5c25562943469d44555f

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
108KB

MD5
bdb30298ff2d735f958152b1bec31e0f

SHA1
7eca72e24880244771994f3e761fb16945cf0a03

SHA256
584896d1747086e9c7d21b749c2bb9313f9fce5ab0de70c5ad941ec74418a04b

SHA512
12948a480df5ad7d4a7fb5b53c01493bfb920b7dae36995c96eec5d407973e1bc2f23e6b5351f83f17a8d6070de73dfb349ae6e38fcd20a6bd6c0dd7a1a5bf48

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
108KB

MD5
85a7c6bb0f57fb4d1077f5c23dd36159

SHA1
3fe8eb78b306294b8a8a28205a623e6dc7dda072

SHA256
6599eaae3188e9a70c4c2706233820d7ffebe8b313a32793d74f516faecce71c

SHA512
5004aea015f9da6b50b7100874bfdaca19f11af8b7fe78fba55913a82ccf2e218b9aa5c7b494002bfc84269358bbd4492dab2dc018588613268e1559514cd6f7

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
108KB

MD5
460a986f4016495e02165712844dbb61

SHA1
46cf2893c7a22b0faec91e0406e2e629c5739784

SHA256
f5ecda108b192a1065ba73ed745c682c6d18eaaf46aa164ab339f69062a66515

SHA512
cfa245600c564356e68ae7b265ed175bb96569674b8ccca1978d1bfd146afa24d9615cfc878410ea2244a36a0c70617eb3628a8bae4e1e7926bfa8a53b1b33d2

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
108KB

MD5
cf1b4a4f176b3340e2887a4bd1e9d1da

SHA1
1791ba8f3ad632d03ecbfbd24400a26883367eee

SHA256
099ff23794885f5ca10625eabdc0ce7ebd96d2a54c9c9595700fd2709dec82d5

SHA512
aedebe00491461a857b8dabf6c8880dcb54a4e6cc0e94e790b964c84be864bbf218fac76f5a325921d156aaf0d804ea2a5e10012d538c6acf4207c9623419d5c

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
108KB

MD5
551e52d424067f02b53aca3214fe90e9

SHA1
63e673462629258903b9ba9e488ad8de9f36d89e

SHA256
7373ff71296209f8a9e39ba5cf1b9498ecf453697eb1d070d48c9d5eee5c798f

SHA512
418fe5f256a15a19b3cf391a662a5ca71f23725454059f1fd82aae6739ce7ad58fb1de566b68fbe8006ce128da17704966ebe87660157a05be471d5498259c35

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
108KB

MD5
af6a9bfb3707d1f7137a44b1f6a3161d

SHA1
0cb146b4565cae08c91f80c45c47ab1cb33c8691

SHA256
a5263c8e96ef1775c64c7456dd3b898d873d87b804df6a2290816040badca561

SHA512
97eb1ce664799cb47acb579c2d5c26de4c3e85e34ede7993cfa2f69212258b28ed5b7b0a813984e79d1d27f82374139fd5e63349285d0ce52a83ea965017dd53

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
108KB

MD5
41bb01d6ba0084464ba87311b909ba7a

SHA1
e0f8f5a6c490bbb92e2a988d24448dd1088182e1

SHA256
872acc7b403453039c409a3553a84fdce4db15e6e5849149904b2be3124b44d2

SHA512
fdcc11d97f9ffbfcb78faf822226f223ec2604f27cd05eefc87f3c869c5b95c9e71ae5bfae927a510d3ebaadf5ee3527a23dd35bd07a06254b76b546a6f74469

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
108KB

MD5
5632f26cb5a288e18b665ccb25191a68

SHA1
9cc1a485063d94e299061b831ba816461b7f17ba

SHA256
e170b19cd5bcbfb92b53249362032acef1ca1634c6ab591837022b477e78be0b

SHA512
9d25b041f18c6d80d9235442c5df200708ed50da66530757c9c26c338c9e15ff08915b07b2cd6e879fcbb7fda3cea031f11f9c93102b8756686282043be44727

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
108KB

MD5
348edd39b4c521596e4f6010b1dd2b46

SHA1
446e415e0da85b4fcdfe5c28cf5540db8be6c7b4

SHA256
3109936efa722e0c29179ac01ee56c115b363ff270b105cd5ef70a2c065aa0fc

SHA512
2a1ca335d64a409fb4d989948b0d04490402d58ff4654e8c41a6752dafb5e228f095c246b704f29ffdb7bd827740a21646a1c9cf4602f9ef3f12190d77a14948

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
108KB

MD5
83188e4cd26564a9089b385faf64ed0c

SHA1
d555f7de532d7d3f569ad86f85f967f516af57b9

SHA256
8ebf7381cbc1af13f535d975ac55f89276177caddd625655245992930d6714d1

SHA512
da5cb7b98506d6589f3634baad74b918159a297fad754fafc83b82632239b6efdba2a3bb139256a7630eaf1a36e813f9de0a7e28428e28dc12e18710a36b8284

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
108KB

MD5
8afb95be4c09bca8d173ad66725f58c9

SHA1
0d892eadec7c811add580b0c407c3f144dc9b07c

SHA256
97b520968bc1061dac4106be5a4be6ef856dd903bd36728f90256800f7a8a3df

SHA512
474fed9ed62a95c9093c83a1bc0dd23817c414b43d888ddcd054174a15bd23183dbe09043745744a8dfd083caa4af876b1878b2651fb36a017468e8c71fd3e3b

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
108KB

MD5
71acccf077fa1cd0e0bb4d378ee4d2ba

SHA1
0d91575d40636fcffbd714f6a6ba238219140281

SHA256
c27dc8efcb4275d2ca523a3ae71f90afee954d2e4383324e91f96e8ac0377f48

SHA512
be2207095fbcf50a59961c40199e4d2ffdcc052b097803c964b498a8f4975955dc5ef4cb092093c7d5c9aad663a037e8e97e55a86b48f774385b24e09919fe53

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
108KB

MD5
c3933bef4b58ed80b0d314be268cf95d

SHA1
1cafa5ef124f1fbab5c8149e3b6facae44893529

SHA256
7afa5d7c54c7ca329db30ca6b22144417f17d0d9ea15f2290be0ca1961540955

SHA512
b784019d93bd08f444a5f5f075e54c96548feb38b6b6f299b7780554f4d493c9cf114da74f89162184eae78539ae3b6fc5190e6a4afa9fce350e6d571deb244a

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
108KB

MD5
e8d0cf4395ed420ad7bbb8776205cce9

SHA1
3bf09a0b9b2bd56c2199a881db0895321f783937

SHA256
17a6637d46d1bf280b0d2e2463d21cecf4ca74f4382ac1ea6cd3c2b560259d4c

SHA512
af2b11499931bf7215158551b9b031f88a887c4842f46b39eefdeb33413c61d659e46d927198b33257dccdea794ea6ffcc9a38523d68bb3f31b07fcde62b9bed

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
108KB

MD5
500ae53b6fa5f19fb7f3bd2c81a7d4dd

SHA1
03fb028cac5eef30e1bd6e495500903d26175db4

SHA256
3b4b1aeaad6554d896e9e9a7e47c8279696773b9182f3ac190c8f7a232b1b2ff

SHA512
17347ad8f953a804b0c7bfb6c597e8a145e2236e859502855900497a89d3816a08a466e9c5aa45a90b23aa88fbff9c1b1d2a7119087429daec8021372c17165e

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
108KB

MD5
fa175ce73b34ea1c74b783b3bf9a0dea

SHA1
bb29c9b8689216b548c7f4cd35d37d0eaa0e8ecf

SHA256
70ef65dc569e0bb258e7e21b186a12304dd452ee18fea32b23ec15611aa2ab17

SHA512
5b5a5c1edad599d52296eb46cce332d4e995b1ba06ec59f6c83e63f04b2dc650b936fb974d0ae49568e9a6e876b995dc7475c3f3f90a6211834ef221b93596df

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
108KB

MD5
7b2c0ce200dc8c39572db519f8791311

SHA1
0ba6d4aec8457a347c496c0149da603cc7961ab2

SHA256
14d5ff48c787c8b710bfcd84da3b8fbc7cc108935d3fcb93e163ddb3cde3d5a8

SHA512
aa73c4a92ad0be4a7900c4d0eeb39466e13ba709e1fedb71bd1de26d4c71fc144672929cede48ad9bf9e6004d5f8d2ece44513b6d09d0eefb52c84dea050cfc5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
108KB

MD5
cd132676fcebf7ff6cf5eba4a11b59e0

SHA1
561cb604d4508d66e8a90b46bd99b3fb9cc9cad1

SHA256
92f0c5cb8a9d5915d2212777a8ebfb7e68d2d5c71a5c876904a72a211c94b806

SHA512
22f39e9c43b692485951b7181d5f1fd9c7378ea8ecf4e5876a65dc7b081670bee2ed3729f0154126c98ba77643d27286dfd3ed2f4d03711a55563046e798f803

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
108KB

MD5
d5a99bcc137612dbf16de0d3e15e127d

SHA1
a86f918c296b5562595453e00dd63e236bd64b26

SHA256
0fe27b29d32cbc98bd6f16a3fe0f5aa97e0baf9b09a64d12a3aa389af781f06e

SHA512
2e68dc8b064e79d1397d03ca3df25bd2e8ac1659e68d5673ff8f86103959409d4bd28b7d6163c4b7e7ae25e23937fc37b9660bc9b79eaf68924314ba9518fb02

Download Submit
memory/8-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/336-243-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/688-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/976-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/976-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/984-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1200-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1232-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-1006-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1512-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1512-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1652-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-1069-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1708-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1828-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1964-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1996-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-648-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2308-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2308-623-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2324-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-479-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-547-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-988-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-610-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-635-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2976-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3256-433-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-562-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3288-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3288-656-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3312-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3436-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3440-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3496-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3504-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-1050-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3760-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3760-629-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3872-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-528-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-931-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-415-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4036-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4036-646-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-519-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4212-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-541-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4780-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4800-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4800-998-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4828-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-616-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5180-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5224-915-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5268-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5328-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5528-617-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5656-636-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5744-891-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads