c3aff6020b4a3a111393d215258a91980e71583824a5b5c381d026420f532ab0

Analysis

max time kernel
138s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45bb3355dcb12a4a424e6581d94dbe50_NeikiAnalytics.exe
Size

1.2MB
MD5

45bb3355dcb12a4a424e6581d94dbe50
SHA1

c5a8722764fb93e4a7dc5f75ae478c434b78c4fb
SHA256

c3aff6020b4a3a111393d215258a91980e71583824a5b5c381d026420f532ab0
SHA512

54ee665d163e9ce604dd048e959d977aba6c8f12e50f5b5d685522702285173f752c722204548bde1d92a041a6786670a5235df307813d0b9227ae58e0dd8336
SSDEEP

24576:2gu5YyCtCCm0BKh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YR:2gu5RCtCXbazR0vk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe

Executes dropped EXE 64 IoCs

pid	Process
208	Fbioei32.exe
1076	Fjqgff32.exe
5000	Fqmlhpla.exe
1940	Fckhdk32.exe
4972	Fcnejk32.exe
3960	Fijmbb32.exe
400	Gcpapkgp.exe
512	Gfnnlffc.exe
1268	Gjlfbd32.exe
3880	Gmmocpjk.exe
2964	Gpklpkio.exe
2768	Gmoliohh.exe
3348	Gcidfi32.exe
3144	Gjclbc32.exe
4532	Gmaioo32.exe
4436	Hclakimb.exe
2692	Hboagf32.exe
3232	Hjfihc32.exe
3528	Hmdedo32.exe
3644	Hapaemll.exe
2880	Hcnnaikp.exe
2192	Hfljmdjc.exe
4024	Hjhfnccl.exe
4948	Hmfbjnbp.exe
2376	Hpenfjad.exe
3580	Hcqjfh32.exe
2848	Hfofbd32.exe
1100	Himcoo32.exe
1428	Hadkpm32.exe
2520	Hpgkkioa.exe
4284	Hbeghene.exe
4908	Hjmoibog.exe
4204	Hmklen32.exe
2988	Hcedaheh.exe
1040	Hbhdmd32.exe
4556	Hjolnb32.exe
3724	Ipldfi32.exe
2396	Ibjqcd32.exe
4656	Iffmccbi.exe
5108	Iidipnal.exe
452	Impepm32.exe
4248	Ipnalhii.exe
4784	Icjmmg32.exe
644	Ifhiib32.exe
4780	Iiffen32.exe
2616	Imbaemhc.exe
2196	Ipqnahgf.exe
1656	Ibojncfj.exe
940	Ijfboafl.exe
5040	Iiibkn32.exe
3504	Iapjlk32.exe
740	Ibagcc32.exe
3592	Iikopmkd.exe
4460	Imgkql32.exe
4488	Ipegmg32.exe
4640	Ibccic32.exe
3060	Ijkljp32.exe
2672	Imihfl32.exe
4960	Jaedgjjd.exe
3544	Jdcpcf32.exe
1448	Jbfpobpb.exe
4548	Jjmhppqd.exe
4328	Jmkdlkph.exe
3432	Jpjqhgol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fbioei32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	45bb3355dcb12a4a424e6581d94dbe50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	6096	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 208	1996	45bb3355dcb12a4a424e6581d94dbe50_NeikiAnalytics.exe	82
PID 1996 wrote to memory of 208	1996	45bb3355dcb12a4a424e6581d94dbe50_NeikiAnalytics.exe	82
PID 1996 wrote to memory of 208	1996	45bb3355dcb12a4a424e6581d94dbe50_NeikiAnalytics.exe	82
PID 208 wrote to memory of 1076	208	Fbioei32.exe	83
PID 208 wrote to memory of 1076	208	Fbioei32.exe	83
PID 208 wrote to memory of 1076	208	Fbioei32.exe	83
PID 1076 wrote to memory of 5000	1076	Fjqgff32.exe	84
PID 1076 wrote to memory of 5000	1076	Fjqgff32.exe	84
PID 1076 wrote to memory of 5000	1076	Fjqgff32.exe	84
PID 5000 wrote to memory of 1940	5000	Fqmlhpla.exe	85
PID 5000 wrote to memory of 1940	5000	Fqmlhpla.exe	85
PID 5000 wrote to memory of 1940	5000	Fqmlhpla.exe	85
PID 1940 wrote to memory of 4972	1940	Fckhdk32.exe	86
PID 1940 wrote to memory of 4972	1940	Fckhdk32.exe	86
PID 1940 wrote to memory of 4972	1940	Fckhdk32.exe	86
PID 4972 wrote to memory of 3960	4972	Fcnejk32.exe	87
PID 4972 wrote to memory of 3960	4972	Fcnejk32.exe	87
PID 4972 wrote to memory of 3960	4972	Fcnejk32.exe	87
PID 3960 wrote to memory of 400	3960	Fijmbb32.exe	88
PID 3960 wrote to memory of 400	3960	Fijmbb32.exe	88
PID 3960 wrote to memory of 400	3960	Fijmbb32.exe	88
PID 400 wrote to memory of 512	400	Gcpapkgp.exe	90
PID 400 wrote to memory of 512	400	Gcpapkgp.exe	90
PID 400 wrote to memory of 512	400	Gcpapkgp.exe	90
PID 512 wrote to memory of 1268	512	Gfnnlffc.exe	91
PID 512 wrote to memory of 1268	512	Gfnnlffc.exe	91
PID 512 wrote to memory of 1268	512	Gfnnlffc.exe	91
PID 1268 wrote to memory of 3880	1268	Gjlfbd32.exe	93
PID 1268 wrote to memory of 3880	1268	Gjlfbd32.exe	93
PID 1268 wrote to memory of 3880	1268	Gjlfbd32.exe	93
PID 3880 wrote to memory of 2964	3880	Gmmocpjk.exe	94
PID 3880 wrote to memory of 2964	3880	Gmmocpjk.exe	94
PID 3880 wrote to memory of 2964	3880	Gmmocpjk.exe	94
PID 2964 wrote to memory of 2768	2964	Gpklpkio.exe	96
PID 2964 wrote to memory of 2768	2964	Gpklpkio.exe	96
PID 2964 wrote to memory of 2768	2964	Gpklpkio.exe	96
PID 2768 wrote to memory of 3348	2768	Gmoliohh.exe	97
PID 2768 wrote to memory of 3348	2768	Gmoliohh.exe	97
PID 2768 wrote to memory of 3348	2768	Gmoliohh.exe	97
PID 3348 wrote to memory of 3144	3348	Gcidfi32.exe	98
PID 3348 wrote to memory of 3144	3348	Gcidfi32.exe	98
PID 3348 wrote to memory of 3144	3348	Gcidfi32.exe	98
PID 3144 wrote to memory of 4532	3144	Gjclbc32.exe	99
PID 3144 wrote to memory of 4532	3144	Gjclbc32.exe	99
PID 3144 wrote to memory of 4532	3144	Gjclbc32.exe	99
PID 4532 wrote to memory of 4436	4532	Gmaioo32.exe	100
PID 4532 wrote to memory of 4436	4532	Gmaioo32.exe	100
PID 4532 wrote to memory of 4436	4532	Gmaioo32.exe	100
PID 4436 wrote to memory of 2692	4436	Hclakimb.exe	101
PID 4436 wrote to memory of 2692	4436	Hclakimb.exe	101
PID 4436 wrote to memory of 2692	4436	Hclakimb.exe	101
PID 2692 wrote to memory of 3232	2692	Hboagf32.exe	102
PID 2692 wrote to memory of 3232	2692	Hboagf32.exe	102
PID 2692 wrote to memory of 3232	2692	Hboagf32.exe	102
PID 3232 wrote to memory of 3528	3232	Hjfihc32.exe	103
PID 3232 wrote to memory of 3528	3232	Hjfihc32.exe	103
PID 3232 wrote to memory of 3528	3232	Hjfihc32.exe	103
PID 3528 wrote to memory of 3644	3528	Hmdedo32.exe	104
PID 3528 wrote to memory of 3644	3528	Hmdedo32.exe	104
PID 3528 wrote to memory of 3644	3528	Hmdedo32.exe	104
PID 3644 wrote to memory of 2880	3644	Hapaemll.exe	105
PID 3644 wrote to memory of 2880	3644	Hapaemll.exe	105
PID 3644 wrote to memory of 2880	3644	Hapaemll.exe	105
PID 2880 wrote to memory of 2192	2880	Hcnnaikp.exe	106

C:\Users\Admin\AppData\Local\Temp\45bb3355dcb12a4a424e6581d94dbe50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45bb3355dcb12a4a424e6581d94dbe50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\Fbioei32.exe
  C:\Windows\system32\Fbioei32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\Fjqgff32.exe
    C:\Windows\system32\Fjqgff32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\Fqmlhpla.exe
      C:\Windows\system32\Fqmlhpla.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        29⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        32⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        37⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        39⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        41⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        48⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        49⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        51⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        53⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        55⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        56⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        58⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        60⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2432
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        69⤵
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        70⤵
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        73⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2668
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        76⤵
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        77⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        78⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        80⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        82⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        83⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        86⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        87⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        91⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        92⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        94⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        97⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        98⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        99⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        103⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        105⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        109⤵
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2640
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        111⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        114⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        115⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        121⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        124⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        125⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        129⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        133⤵
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        140⤵
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        143⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 412
        144⤵
        Program crash
        
        PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 6096 -ip 6096
1⤵
PID:5228

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ekfnlmai.dll

Filesize
7KB

MD5
c0807e8745cfa1bb4a3a57016ae8d5b1

SHA1
64a10356db205cec1b7fbe2e2e79b739f0e27186

SHA256
335cfd539bcf93f83e87f4eadb678c6dbad136266e70acb55af390d0ce15e766

SHA512
0110455042fada237973ff79723d45abc17e62308e8302094e10e3ed19cb3808ab450283b602712e177b550b2fd7ac01899c36446d51be3cfbed9aee1f87b1f7

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
1.2MB

MD5
49ce4d621834c70523f809b891ce68b4

SHA1
1073338935cf87db4ad5090d00ff043d29b8da3e

SHA256
463797d384aea9f410e9fcaa65aa16a7a40849593ae7b85f1cf5b907bc16ec33

SHA512
ca3d5b694454ac09c8040bbe8129b7d56f0b62c074008ea0fb8830048190a1d103801d922dec79394c91dc861582430c4f937c4c21868162caf1bd21ff299e7e

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
1.2MB

MD5
2e1920e561c36b19fe177415a0d61f02

SHA1
5e7e3109189c6bcf51dc85753bece6a2d1727d18

SHA256
79808772673ae7a0629f26036b934e87a6ddc782da3ef309b226c273e19afa01

SHA512
78d739c4aead95bb9aaa2d5f7187a3dc2aebebd928e837b57b6facf3809e1d7e9de6a8a60494d187b54144c1dac124f87d864da0be795f5edbd4bcf4578ab248

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
1.2MB

MD5
96e1934a69c01605e4e42f5bc7409654

SHA1
01db4950b5e82b2f2d634136ae2efc567d873376

SHA256
85be01fb55b3498a0e64dfa03b22db0538dcdf2b8f87d521823eb32190309db7

SHA512
e9b1482860ff5771926ce030f1a91501a36c9daaedc0118d0b2ac07e5c5dc2a0ebf095e57d6ca86def7aaff6842729b04598ca67806794b60319ca6dc7293642

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
1.2MB

MD5
1278cb7fdb8f8be53306271911b8cf7f

SHA1
83b4496bf35216106048acfad658d65233a8731b

SHA256
3c8e09f48f4842531f2ea692a4bf831bf605e1041e0297fff0dcec3cb77ac345

SHA512
f06280105a2db62d0a3ab88cbc3673322bfaca5481196bee7588257a96034f74cd9f2eee4458861580d2f2fb0c64b9d0c4f8f7bab6cf1a38ee820e7cfba2b366

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
1.2MB

MD5
025f8d7a6f3f9ff8852f7336fd2d217c

SHA1
2bac187280a9b16c263b58e3dd0f021d0964b2af

SHA256
ebc32cbd8a624100753f5ffbbb5c88813cdf193d7c02dd4a3d9b081e0ee9527f

SHA512
e403a76fe1a9fb391390a118e2b122500f9470c073caf263322a74495d090d33c2b33bbdefb9540a56be67c36c8466e37cadd6cdb0dae39fd8989033b27424be

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
1.2MB

MD5
a0aa9a2462ad918e2dcd59237e133ebb

SHA1
b7d090722dfa1cec515e8447f40945c692caf219

SHA256
f3dc37c52f6b453afde7fc7b517132cd3017d94e4d2a6cd277d8d9856f8509db

SHA512
2797116c4c42c7951bbb0d27786e28c8a3034a4c6019203355974f3e96b9ed101d361202dc940e1bcf84188ec40f278ad8c42ddec20888bf5842e5096a57d268

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
1.2MB

MD5
59602c8b1bc8b6ac1af57f1a58bbe473

SHA1
52edec277ebb7175ad67f930fac24d2be9632ce3

SHA256
47e5ddab8fdb26915fdd0d14ffdc2263a555b2674254d2f7c53dff7341880fd3

SHA512
37c4a766c3e0a1f8d34c92105d1de7767d66133834c7f456826f71033b032f8e7e35639bf56a9d682f829711d3821ab878947c6367fa03148c810be241b9c378

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
1.2MB

MD5
12f1a1fc9177b92378ec9231b0219514

SHA1
cba8c663dcdc959461fd58e05ed28b016337fe53

SHA256
941e33275fbf59dbdd83ef5c489c670503aba200a988bdf80671ef5aeee230ed

SHA512
227556b2c025859046a74d649ae92142a16288ce3d4008626e0c3145765fd6acce4a0a056430215aff5034f9779ee856dab9def52e193a21c762d5466b4b225b

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
1.2MB

MD5
f6c2c90835c6365fd7c32db52620431c

SHA1
27cf9a4584c23895c2c3ec5b8419a21952820776

SHA256
cc6422efc5349d0135bedaa8da072de91a9d93ffa91420cae84196ec77c30b2e

SHA512
bb1c676d2dbd266a4cf3fa221de27cd1057ce4a29a4c36d91f38b33bf6b7719d055d9be0506a8b65ae106a81e3eb138e996a6741f0c0790481540b0e7110b277

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
1.2MB

MD5
9e390032e266a4bc1b2f88e5310a1eb3

SHA1
33d0e45309e545c8f5b30b64e22298f7f5219f7e

SHA256
fb61fefce9107fbbf6fbe5a2eb6a00397a538dbc0a14c0ebf44cc7305434b4ad

SHA512
68d3304fe5856f44267cab06c4cd210cbc5bb9b7cfd9ada337dba0456bf3a0a2b0195a2dd0c856b17fece8d4a6f86d2fd445dcb622539ba56b2ce3d0af4fdf11

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
1.2MB

MD5
3f207f46c334a1d5135dc11ec53a42c7

SHA1
87efb2adc9cfc85ac8d2166854c25e2fab8dc14e

SHA256
61cfcf2076ea8d1f1a85d7ddd480830bc327ae16e4c2717e5d90577cb08bcb0e

SHA512
6a466771d545c1150dac0abdf8a738e278011067c05b2790bb3eaa7fdf444c5c8fdbb942e57f0a7cf30375829d53b0e008c0dce9dea312756f70ef46363fe6f8

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
1.2MB

MD5
817306244256a3c07f7b06a7394906f7

SHA1
1f5bde04f60194c29489e3ae888226fe276f7bee

SHA256
34c1a594f95cb85239a60816b874db0ea02109aa4cd623aa8e93d5837e4d02f9

SHA512
1a87e9d56819237d8a4b3b2646b5f8791872b1de87f9611b846be3a6d461e13db44d8c950ee8fbfcbdf2cf716d7d006ce880b3318841d9dd3b7254b6346e620a

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
1.2MB

MD5
cb9025e2b0979ea85d9d358b47973083

SHA1
27e322454915a12f48525366fe42618bb97c4e80

SHA256
278bae97c7060e5795a3c7642180f16b6daf14fe3687cf19a7fd09041847a388

SHA512
f73f9b25667a9cca45016e2f3f88f4de52be0accb6c418a9cfede291171b8827aec55309ac0ee4cad3ad842933f6f028d406d9a802289c5a45feed3a4253e03f

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
1.2MB

MD5
e24dfcb5586fc4f199d37cf94791491b

SHA1
5bf2fb342c8d30b9e27651fda120f3f82bca3a90

SHA256
f233455e1a9796aa502f782b21677e7f573acda05c2ec3991851e2595f0b3f9d

SHA512
6e10a9780af41d2c2df148ee3ccc399e4aaa77ed07ae933ea7996f27ff60043bc6e9dacb609c88703c1ccb09031c341ba3dca8f8a7e228959549490ede581b97

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
1.2MB

MD5
1a6f4f3153949a6f2ffe5ba16362fb91

SHA1
1074f723c6a7dc69c585c1e9dcfa3d3323e872ad

SHA256
9039dd6229615cd6814e0e1f808ded1d8df5128161b1262e99b59dfa8cce40c2

SHA512
89878177172cd711b83deb139d4a871990148852db78d677a08e8e6509a91dc6d2f5277a98d44e2e39001cb9022981028b986f12a5b8d232e89737e3073c72a8

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
1.2MB

MD5
745248e20c7c92b3ee9d2b06575956c9

SHA1
85c55581a24ff3f628f5493853d44b9ea48e8492

SHA256
ba8006e2b995babc900f73494e46961b86eac4812a15ea35b90e1ac70a645ddd

SHA512
fa4337442bc60755a899f49fc837a7ff07e57284721074dd4616eff1da421cf51c62ebe4be8726893f29aaf1983e9a06f77d0c21ac1473559c5ee404aeb44d43

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
1.2MB

MD5
1af084e89cea24d54ad88e4db7c0fde3

SHA1
8177152f2a859aa9cfd821068ce95727eb679463

SHA256
7f68d80cecc578e5f09d424f8cb85cc673c5be60fdb47df166fb39de9b7b03f5

SHA512
a3472891cd814769e2413a3ed104ca0134b96dc2cd733a13b4d65d1e23b87d38bff86f620be20c3bd7066aa12774bbc2e3c4ca25767b023e695b98614cd1793e

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
1.2MB

MD5
1b8ea9bc17c3c237e2a39ce5bd6c5710

SHA1
29b8d3b921cf8bf111f54491c3edc17ae50e2216

SHA256
32c5c610efda6bc5e259b58afbfb2ebbcaf0793b8d2936b7f543179f8bc7a9a6

SHA512
ba3bd4257cef6920f9ce60c7776960e5a454604ce60ea0f43893345cf342761df8f8379ffaab094984b56979a2b09c4b5787aed2b31208f6c2f9cd5e5a245cdc

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
1.2MB

MD5
491b929e9e00b7d9ec9eb5524b8ae2a3

SHA1
665918e5ce6c8e5d94e90f4ee04cc98089f64b3b

SHA256
ab7335016a6324d3b9069390e8efc2d2b2fc17e866138edee6114ce1773b661f

SHA512
0c6a99049a81ba6edfe17b0ba5c1184b626888de64ca9b01faf0f7ca2df18980ac17c276a9d84af0401183b76c53e3b647b9c9f7743eb1d044d211d7e08bb9e6

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
1.2MB

MD5
36c24f100dae7902a475ef2cb19e7eef

SHA1
2a834e0f46bddad7239bf5be745d011c678a2c4d

SHA256
43e592bfa43730b221847d4ad91c848bb2940722d27bd9afe9671b2b881808ec

SHA512
61d55d970a47ba7f4fc9889ec540ec03477cab4899598a1d6ce13671aeb2cb077ce89864cb086d1c72b32df590603f3b481ffd66147657ec4f8f9d30ad9b0f72

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
1.2MB

MD5
b51e7854bffc5dfa6645ee08676e798b

SHA1
a184aea9e4376a485c4d0b51f9601c61639f5349

SHA256
4f3489c7ed9c53e68e0a70b16a135f7b951aaf94faf72bb55a4f923f948d8e64

SHA512
eda7ff356618e7a38df9dc9dfe2f5d81a4680c495cde175914c8ee8ee6a117c32b65aed033fe871f21ef13718ffd93803aea7d28c2dc28bb07e69e52dce75c53

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
1.2MB

MD5
e00366c97e7d1ddda49a47e8769ee594

SHA1
4f5137d49f9c920783290cf2cf88daa6ad326ca3

SHA256
157dc64b62df9d8c4b26916b29b770ebd99c78a2bf1220c88d085c5304ebd01b

SHA512
af6572421cb328a28cb0866eef7421975a7980362e76aa75b913241ad1d3cf2f438398537c62582ce6c9855a3a52bd50587a48db39c93e4f694db1900be1665a

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
1.2MB

MD5
05fac8abe17cc864127de5778f478049

SHA1
7b1e0a1c7bf36d87a816410640228d78dacb114f

SHA256
1833e94a989ab16bfdde9ebda3712558e53eb60a8266dbe97c7f64768c28e4b1

SHA512
fd03443b9a838d9e405cc03001ad5e9e1debf468fec75575d0b3603ba30ffc167910f348b05de0a33b6f2a47bc7d8120177953f3b61097d27ed06e74e750ee3c

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
1.2MB

MD5
e685ca9dc4ba853497854b0125c4fc81

SHA1
9a0f75993022d0838252a47fd3e8c1ef35ef2949

SHA256
55eecea70b51897f55fd002652fa17758c223e8ed1b3a3aafc94934448648b1c

SHA512
37814d1bf8e083b373b44003ef07c3ed01c3c91d9726b5dcead0645e5c432b2961f3d6728b03cd261d54ae0a4797c06d810a8127832530b4d11fc6ecdf70a18b

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
1.2MB

MD5
b94abdb3a89880f5f7e0b74dfedbac24

SHA1
ddbd66cd0c57ec6340290b43f307114b89ce62cf

SHA256
09eacf21410ca5b30fc65f0f6c1b12b6d547831043b52d9eb78e61f95023d39d

SHA512
2fbf6cd2c7308d64036049439126452fe8faa62037c74f6bd642e6d7a6a015c0d97b75f5d0e4e074c327213beb8b4d811cce628fedbff42ac1ea335017021fa8

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
1.2MB

MD5
d52c416ca801748345142b534dc3ef77

SHA1
f7da1908e0fbc1033a34e04d7c3c11093b771955

SHA256
5b1cc69c6c701fcb9a4ab2605f839486f0d82756bbce30cd999b354deb670f13

SHA512
f21e15b06a448ab41d335c76645bb18f07c7d543b2a7cb2a61ae3fd6f121b2336c437d1a3df09dc28af455382240d9be5ad6e046209e9a370b4a100e26a541d4

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
1.2MB

MD5
47a19518fd9cfb983c8b7112951906c7

SHA1
9c23f0a2ff9aa3823b9e43810b8492aa37a58bdd

SHA256
39e4274651dd0d5e9faf13d179c5221851c6fb99a42e7568df4ecd0573c0d590

SHA512
43f2ea638149443644637be479b93de840b6b16fa3c041667b126e92d013202fc06589b2859242ef9a0c859cda2aa4cc37785cb7dfbcbc676e3dc8c95632d193

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
1.2MB

MD5
027387bb12167d6cf705ac5624d3a2b3

SHA1
43677262f71d9662b1c3c4f896011550e1084e18

SHA256
67b700da13707189bdeede73ca0cc2eb54b1503fffb202f1dc392e27a0db8721

SHA512
0f20f614474a59da7dd22ec603d34aa8a3a6a02e2a2b8db3f4ab2658b885b58ae95373deccff0a144dee64bd6314c42b881607ac98c67ab81b8cf954ca24d256

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
1.2MB

MD5
58326ea0c91478b5d7d77d5f914b3427

SHA1
3ffa15cc68ace37222cf035d9a793e31c278c18a

SHA256
bb2378e1b5e5b2f728d7f5d8d15db1b6712bed201ea760a84f12299aa9bfa588

SHA512
aca9d8623183f7b6426d58bdc0c86d15274d5614e5c33e3ee89db537e55686e475191349268d071a011373c9e536b25b6143a39fa5d9c0ba149e759965ea92e8

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
1.2MB

MD5
9ab875e06b346330dc800b15ab9b8ac0

SHA1
b6667f816d8ec86edb4d5a0696b7b80be789fa63

SHA256
c51ee198007fd0bcc44167c5bf30aeaebed49f8dac7e94951fbbd7dbcfe36016

SHA512
2731658f4e0a3e5b14d433dd280878f3fe8260c33f48d5136fc39ba92783f19241cdde6df238b30b8b37111fe3aaaf258eb94deb6f19609caf03e71ff0041981

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
1.2MB

MD5
6522cb9a8870af5332d9b385475a03a5

SHA1
bf3d2d0007b5d2c77b9171aa038d1e8cdaea5ddf

SHA256
f7fe871a373810c6d4b3331983cca7ca443b0f7d0d315de5d897b97dd256148f

SHA512
bd714c6e348a71d5b432af4a3e47e980584ae32d22892d0050ae0b3478e28ec5b54c075ca8f8d4372728664750ccfe6a537cf873ed5b039f30905bedafd4e540

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
1.2MB

MD5
5271dbf7efb2255e18ed7e9a41f5f2cf

SHA1
1f21b9d0ac0b067763b8da1d1b58ace6dd6ac623

SHA256
e42a9f4f04bde82186b47747b188a9e2ff552048210b60e9eb9b32ec820a2b76

SHA512
e07925cc0b86bacb821815f3c23b7368e279f8cb67d7178c76a94d43b505083e75a0d9865c0a2f8e18d6183612366b5526aad98e6a6c49c7c1ef43dfba3160d3

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
1.2MB

MD5
57681f734d703a7d3bf52b0d96e9b5b1

SHA1
891be21bb9341b3e86a697f31c67e1863e1e65fe

SHA256
08b33ec9bd999c2ed88206ff463157cc2049d772affe17bf7ab1522c9d5b5036

SHA512
bf773fe853b234c4bb491628d7faf4fabb73817541ee7da66ddc99783784536416dcc5c9e706f5464e981cde16fcc874dced01eab2111149860fe915d607f18b

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
1.2MB

MD5
eeb19eb57a59cf27f8440265be21a686

SHA1
77482f9892e0facf1133126c9d9a62d28f75598e

SHA256
9583d36ef65cc2531f362ff8fc5f363a1659d726485a6cba91afdb2085b958a1

SHA512
0d0db0d74e3e0050b8eff70defbb317832dab9ec32f803169bb4241b9f650d1e502463168bf686185d14171a721637ee8973158d368c9eaa736b4d70591ad94c

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
1.2MB

MD5
a4a8f8698cf56fa3281c24f9ebe5484e

SHA1
e234950f9190edb1d77e203d7d15f3c418c3d138

SHA256
970f0cfcddc35ea0d6d890a76404ff1a40a0e2cbdfb88c5ad8fa88e53ab09d77

SHA512
254b8fb92e93da026786b77fb8e4d40f1746a50bec93103f8858e211f3d07eee63d2d824e01e81afd5a0f0b4b01cf06612916a26471b6efca18aac0bb6defd41

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
1.2MB

MD5
41900fc21ee844f2d837e15cc19a0b91

SHA1
2a2d30d5df16b418ffb0e59e3140d2c2dcef1210

SHA256
241c0b8c1e1e3b71809cfb6b0c642efa7837b4b18aeb8541d98588cae2ea1bab

SHA512
5009c4f14d33083a4337600e726de8b4fa7ebf80425cb436f912dcd522dae6f3abbe2f867a65db82db6bbd1df022a264169f4954a57862aed6f771c1fddc5b78

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
1.2MB

MD5
d3a10d32648e08eb8f2f8437e0e7b0df

SHA1
0945c45ea9b9448dedc927c1e1f51a556c1ffa58

SHA256
b6df53c04e92bfacd904160cae5f96adaddbff5f4b697992371bb7db585ad0af

SHA512
8509472ebf66238168868a40b280f73d9c6b1b030fb5d684a50353a7945ddc5cec40d2582b32017f22b1bf4920b47b4406816263c5c29865937ea8b84e5ad860

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
1.2MB

MD5
0e5e3517766659c5f5489ea9c87f869e

SHA1
99fd856bc7dd77dfea83ae7a54fd40164a9071c5

SHA256
b797b1316644d1c8f149df254ab9c4c8c4da218bfe5625a291949bdd34f5ad0f

SHA512
3a828db62664b51f99742ec986e6817f034fd2a900e634e3f5885acde0658b3beaf5174e11a86e934d80447f378ad41dd3d137f87f12d5d61880b445b09b7df6

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
1.2MB

MD5
28b6ba5b77abc326157cf953c1290d6f

SHA1
448cb1e8452755fd1e8ad0643ac5d221d06f403e

SHA256
f43d3bcd827d2ed5adc7ec4ec212aa29e57ef5683d64580baa5a7cbc12e23b63

SHA512
eb89ff8facd2062cce19a96cfadbab86977c2456f1bbbba0dbba8ff87b59137f9589d33b609d685fba0dadcdc2bce70a634ea35d59328b79ef6f7f632aeaf2b7

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
1.2MB

MD5
ab4d29217f8a484e2ddf096d49a3e4c9

SHA1
a4a8643556e6af46ba7faaa7faf6f2711297425c

SHA256
39602583ae86a8083ae60d9d1435714edc6c20eb143bf6136925514c542d5cdd

SHA512
72124fd8e1c52c8d3a258baaabf3869219d8f503dcbc28d0b9cf32a971cd7cc0e0346b2d2615faa3058442607cc70f9c62fd05fe96ab3957654b8dec3667197c

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
1.2MB

MD5
e2d2f9e981e0677a4fdef28729f35bd4

SHA1
caec92dcf66c63c21667bec1af3ea4c7a8bd98e2

SHA256
f482dcc80fa56beb4caeaf905985cac7ad632191129bfc1a127accc55e3e4052

SHA512
5cb0e2f862744c1a85b2cd1d94140904cef26cf65071a28551865abbe33cd12819d08643c0d943602e2af1018d1334f93ab1c4c6c3cdbcbc7af1c829301c8fc4

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
1.2MB

MD5
5def8338504da5455dc7a7aa0f7762f0

SHA1
4f616e8797e0cad92a8b5f37bb5c68ec53a5c63d

SHA256
edba87aec048ab3fe0c3ff7e0fbfeb3c2d6a6845b7ec475e34741e2b73cf00df

SHA512
9a9a5356d9a4072d55af671f14fba60288fee253f6159c94b0f0632f9264d802decd72e91023f335b2902eb1bda536aa590107396d0c9ad24913ac13250bf92a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.2MB

MD5
bb1d9a7235516672b36a3cd56857eba6

SHA1
803d89f395b808fd6125953572d3c4295eff542a

SHA256
6b7e665239b6d96a2216faf024a5c4f6189f93d2a869f767696d94d5e8968590

SHA512
734b5b7563331c5f73329effd7555e603374b674acf5349111fb7881b381fdb98fef64fb81467197325e191a6f9e837e1e7b4612aca71c34a96ad98b5ddaaea2

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
1.2MB

MD5
f3c9c142ba97096e0c1f46b96f0c0a01

SHA1
7e665fadfeff2e1e3c374a6d3a59353ac0b7e1cc

SHA256
170d9c36d48c406c8944d7dbae6575b72fbe8c1106426c85f8eda77dc7a1a653

SHA512
e3f4ee41f7337f53cc79bbf602075b23ea3d875337f6bae8c6060d781dc79e166a5053dbad110a2e16e58f506041ac63132d313a317fb987b9cedd40b568e2ed

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
1.2MB

MD5
bd6086374613b6938fe8991d0e836719

SHA1
0ab438862e8b44472984fec348c89879de41d3ce

SHA256
7b1bc1012ec9215b9cf8359307711453b398f0b503a660d24c1e34499a947806

SHA512
f31d1ccb0b57e095579a36a3f7ff66dbb8f5293ff2a89123a0d0cbd77d6d16e319e6a372dd87495073a160fcce8f43c6b355a1a5f7267685dee8a5af18838eef

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
1.2MB

MD5
fb45c52955b206349dc2480f6733dcce

SHA1
36930e16db68c6a2accc6531a4ac09d41470ecb3

SHA256
3954d60cbcae83c16cdaa611655b2909cb721b711eac907e85ac65798db2337c

SHA512
8df246a2a37be8413d52904f23642fdb06294104752bcf704a18a331f70b995ccc65759f43f735b1c887a9fe16b8a8868652d8cd7de1f4158915cc18436d3ffe

Download Submit
memory/208-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/208-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/400-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/400-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/452-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/512-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/512-638-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/532-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/644-503-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/740-516-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/812-541-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-512-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-494-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1100-487-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1268-75-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-488-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1448-525-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-540-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-511-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1864-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1940-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1940-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-481-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2196-510-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2248-529-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2376-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2404-537-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2432-530-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-489-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-509-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-542-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2672-522-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-475-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2768-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2848-486-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-480-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2964-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-493-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3060-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-536-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3144-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3348-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3396-547-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3432-528-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3528-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3544-524-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3580-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3592-517-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3724-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3880-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4020-549-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4024-482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4204-492-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4248-501-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4328-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4436-474-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-518-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-519-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-543-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4532-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4556-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4624-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4640-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4656-498-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-491-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-483-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-523-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-548-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5000-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5000-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5040-513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5108-499-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5136-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5256-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5372-642-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5428-643-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5464-645-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5500-646-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5536-647-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5572-648-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads