877fd266f9f0c16bf5b4308fe2153f82e7cde2bffe83e592ab6419b12aad62e4

Analysis

max time kernel
132s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe
Size

96KB
MD5

a6c423da25eb2170b17120b4ab2cb120
SHA1

ebccceffb8925f0f14dd5c158a6e8900bff8cd0f
SHA256

877fd266f9f0c16bf5b4308fe2153f82e7cde2bffe83e592ab6419b12aad62e4
SHA512

86f631fc66fe04a664180d9c3c687d1aafb925a47faaecd3ed1d6070f5a4d654810661f52d3df074c885b3056323178ceb1261e8f2a7af51b1a3a77d9adb4be8
SSDEEP

1536:8J2J62KHsIYUVlpGSlyrOiHQQDnmppFOH4vDVcdZ2JVQBKoC/CKniTCvVAva61hl:8JrM+ahwQTkba4bVqZ2fQkbn1vVAva61

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe

Executes dropped EXE 64 IoCs

pid	Process
4908	Hfjmgdlf.exe
2224	Hihicplj.exe
4260	Hmdedo32.exe
3892	Hbanme32.exe
2188	Hfljmdjc.exe
2616	Hmfbjnbp.exe
5048	Hpenfjad.exe
2804	Hbckbepg.exe
716	Hjjbcbqj.exe
2768	Hmioonpn.exe
4180	Hccglh32.exe
864	Hfachc32.exe
1988	Hippdo32.exe
3084	Hcedaheh.exe
2384	Hjolnb32.exe
4360	Hmmhjm32.exe
368	Haidklda.exe
4520	Ipldfi32.exe
4884	Impepm32.exe
1908	Iakaql32.exe
1864	Icjmmg32.exe
1220	Ifhiib32.exe
3944	Imbaemhc.exe
2348	Iannfk32.exe
4944	Icljbg32.exe
4932	Imdnklfp.exe
4756	Ipckgh32.exe
4164	Ifmcdblq.exe
4204	Ijhodq32.exe
2584	Idacmfkj.exe
2116	Iinlemia.exe
540	Imihfl32.exe
4720	Jpgdbg32.exe
1132	Jdcpcf32.exe
1464	Jiphkm32.exe
3984	Jmkdlkph.exe
4564	Jfdida32.exe
1720	Jibeql32.exe
456	Jplmmfmi.exe
4888	Jdhine32.exe
3784	Jjbako32.exe
3608	Jmpngk32.exe
1324	Jdjfcecp.exe
2720	Jbmfoa32.exe
3840	Jkdnpo32.exe
1620	Jangmibi.exe
3676	Jdmcidam.exe
1916	Jbocea32.exe
4492	Jiikak32.exe
452	Kmegbjgn.exe
4396	Kdopod32.exe
4848	Kbapjafe.exe
1776	Kmgdgjek.exe
4220	Kacphh32.exe
1424	Kpepcedo.exe
740	Kkkdan32.exe
1832	Kinemkko.exe
1920	Kaemnhla.exe
4868	Kphmie32.exe
748	Kbfiep32.exe
4828	Kipabjil.exe
1692	Kagichjo.exe
4308	Kdffocib.exe
4452	Kcifkp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpcioj32.dll	a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jmkdlkph.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5484	6120	WerFault.exe	220

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4908	4072	a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe	83
PID 4072 wrote to memory of 4908	4072	a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe	83
PID 4072 wrote to memory of 4908	4072	a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe	83
PID 4908 wrote to memory of 2224	4908	Hfjmgdlf.exe	84
PID 4908 wrote to memory of 2224	4908	Hfjmgdlf.exe	84
PID 4908 wrote to memory of 2224	4908	Hfjmgdlf.exe	84
PID 2224 wrote to memory of 4260	2224	Hihicplj.exe	85
PID 2224 wrote to memory of 4260	2224	Hihicplj.exe	85
PID 2224 wrote to memory of 4260	2224	Hihicplj.exe	85
PID 4260 wrote to memory of 3892	4260	Hmdedo32.exe	86
PID 4260 wrote to memory of 3892	4260	Hmdedo32.exe	86
PID 4260 wrote to memory of 3892	4260	Hmdedo32.exe	86
PID 3892 wrote to memory of 2188	3892	Hbanme32.exe	87
PID 3892 wrote to memory of 2188	3892	Hbanme32.exe	87
PID 3892 wrote to memory of 2188	3892	Hbanme32.exe	87
PID 2188 wrote to memory of 2616	2188	Hfljmdjc.exe	88
PID 2188 wrote to memory of 2616	2188	Hfljmdjc.exe	88
PID 2188 wrote to memory of 2616	2188	Hfljmdjc.exe	88
PID 2616 wrote to memory of 5048	2616	Hmfbjnbp.exe	89
PID 2616 wrote to memory of 5048	2616	Hmfbjnbp.exe	89
PID 2616 wrote to memory of 5048	2616	Hmfbjnbp.exe	89
PID 5048 wrote to memory of 2804	5048	Hpenfjad.exe	90
PID 5048 wrote to memory of 2804	5048	Hpenfjad.exe	90
PID 5048 wrote to memory of 2804	5048	Hpenfjad.exe	90
PID 2804 wrote to memory of 716	2804	Hbckbepg.exe	91
PID 2804 wrote to memory of 716	2804	Hbckbepg.exe	91
PID 2804 wrote to memory of 716	2804	Hbckbepg.exe	91
PID 716 wrote to memory of 2768	716	Hjjbcbqj.exe	92
PID 716 wrote to memory of 2768	716	Hjjbcbqj.exe	92
PID 716 wrote to memory of 2768	716	Hjjbcbqj.exe	92
PID 2768 wrote to memory of 4180	2768	Hmioonpn.exe	93
PID 2768 wrote to memory of 4180	2768	Hmioonpn.exe	93
PID 2768 wrote to memory of 4180	2768	Hmioonpn.exe	93
PID 4180 wrote to memory of 864	4180	Hccglh32.exe	94
PID 4180 wrote to memory of 864	4180	Hccglh32.exe	94
PID 4180 wrote to memory of 864	4180	Hccglh32.exe	94
PID 864 wrote to memory of 1988	864	Hfachc32.exe	95
PID 864 wrote to memory of 1988	864	Hfachc32.exe	95
PID 864 wrote to memory of 1988	864	Hfachc32.exe	95
PID 1988 wrote to memory of 3084	1988	Hippdo32.exe	96
PID 1988 wrote to memory of 3084	1988	Hippdo32.exe	96
PID 1988 wrote to memory of 3084	1988	Hippdo32.exe	96
PID 3084 wrote to memory of 2384	3084	Hcedaheh.exe	97
PID 3084 wrote to memory of 2384	3084	Hcedaheh.exe	97
PID 3084 wrote to memory of 2384	3084	Hcedaheh.exe	97
PID 2384 wrote to memory of 4360	2384	Hjolnb32.exe	98
PID 2384 wrote to memory of 4360	2384	Hjolnb32.exe	98
PID 2384 wrote to memory of 4360	2384	Hjolnb32.exe	98
PID 4360 wrote to memory of 368	4360	Hmmhjm32.exe	99
PID 4360 wrote to memory of 368	4360	Hmmhjm32.exe	99
PID 4360 wrote to memory of 368	4360	Hmmhjm32.exe	99
PID 368 wrote to memory of 4520	368	Haidklda.exe	100
PID 368 wrote to memory of 4520	368	Haidklda.exe	100
PID 368 wrote to memory of 4520	368	Haidklda.exe	100
PID 4520 wrote to memory of 4884	4520	Ipldfi32.exe	101
PID 4520 wrote to memory of 4884	4520	Ipldfi32.exe	101
PID 4520 wrote to memory of 4884	4520	Ipldfi32.exe	101
PID 4884 wrote to memory of 1908	4884	Impepm32.exe	102
PID 4884 wrote to memory of 1908	4884	Impepm32.exe	102
PID 4884 wrote to memory of 1908	4884	Impepm32.exe	102
PID 1908 wrote to memory of 1864	1908	Iakaql32.exe	103
PID 1908 wrote to memory of 1864	1908	Iakaql32.exe	103
PID 1908 wrote to memory of 1864	1908	Iakaql32.exe	103
PID 1864 wrote to memory of 1220	1864	Icjmmg32.exe	104

C:\Users\Admin\AppData\Local\Temp\a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a6c423da25eb2170b17120b4ab2cb120_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\Hfjmgdlf.exe
  C:\Windows\system32\Hfjmgdlf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Hihicplj.exe
    C:\Windows\system32\Hihicplj.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\Hmdedo32.exe
      C:\Windows\system32\Hmdedo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3892
      - C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        27⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        34⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        45⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        48⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        49⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        55⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        63⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        70⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        71⤵
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        73⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4184
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        75⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        77⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        78⤵
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        79⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3740
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        85⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        89⤵
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        91⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        92⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        93⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        95⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        96⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        99⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        100⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        102⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        104⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        105⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        106⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        109⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        110⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        114⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        115⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        120⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        121⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        124⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        125⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        130⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        134⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        135⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 408
        136⤵
        Program crash
        
        PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6120 -ip 6120
1⤵
PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
96KB

MD5
09004c36d036112500513d3dc89051aa

SHA1
47b160567697224ba405076b7f4a5f337dd8e5cc

SHA256
b59056493f6da6de59154d678007073e012daf9a9df2286b12a6172e516a9aa9

SHA512
41a78e6c0c94e251d3ecf3b8f329d30ed4043d721e89394344bb7aa3b4473652a8eb70c26259ca356c7f74f3c8a77a1b8883eaf9133d73b90ae8e40737fafb86

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
96KB

MD5
3487b52c396b3df4ac4770d68c5b716a

SHA1
da3f86233d94c7ef352fd95e1c8d6501f0d4bc1f

SHA256
6edf7ba0135a699bf8601564519c83323d02ed9146996f09636a3955254dd343

SHA512
5294a7ae916cd5788b9c409f33ce5b896076e8e615744bea7b341e8f18f12a4053ac76e8f15fee3f3878088530ef7a1b72e793133fb4c8ee9bfda8204a3d32cf

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
96KB

MD5
7bfc8ff2dc393a570fb5b70564c4220e

SHA1
e5eb500402dbb11501bf0205a1d8049f31b512c3

SHA256
f4becc221853c5ddc8970f5d2f3c5a4694d74f21b7727ba3cb93cc1dab115223

SHA512
3e7cb98627e2b8515fd852a11fc7db88279c8738baecc227023b00db3d0a8e6f0245c99a38d93dcaafccaabddd62304ed7149a99b0f233ec973cc37dafb72d4a

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
96KB

MD5
4bd4ea91426395b22fa16c992c34d24b

SHA1
37cbd3e6d9fb99d80bb7737bf525e17b299e536e

SHA256
75fe47ea574eec1258120efd632614d9316610a9a82848748c2e6df4496d6b4a

SHA512
0fe72a40b464bfef3735a4bfd36399e1183c8702b1eb1ed34f8ada39964f241f5b0131060c44185f17bc9734df29060b6f7152488178a20322250a97381d8e07

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
96KB

MD5
d1d3ef2063edf3fd0990f8511c4836f7

SHA1
0bb2b33b628b93045230bcf6353e715ffe25700f

SHA256
f1ac49c0b3481a73046aba801b52a919747926751bb0c3fa61f2363e93be408a

SHA512
2343336920cd34d0c0cad449cb316e69e24e3ca4759d38df76c488ab89dfb8c5d3b9c4f593e734cc631fe6005099bba78baa7d2f724d026f85b9f3f511667d77

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
6abf14628bafed9f251bb1bed8baeeab

SHA1
1a59ab233e7d4041db581396e1108b4ad272d899

SHA256
287cb27d858922ff46a1d1960e578da24bf0f6976d347eb9f3510e691478fc7d

SHA512
d7e26169d7714820015eb7148b8f56a0a0c2ecfd2d747c4060e138f6ca454b8753c0d22b2393ff0b9b08ffa479131a019649bb74cec4523117cabdfa6fedd120

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
02b25b9ea0a67f6f8faddfe096cb47e1

SHA1
c1c5244545d2e5db4360e200a9600352e30b4e0c

SHA256
726808cc85ee3aaf8b19bd9131706c14c00c885c844d65b14347b29ab46fbd8e

SHA512
abdde5e604a876cf21cbd69e99e7cd467616e628adcafc8d3193b8de49f98ffb10a2cf91b9049120e3db7872b08775a54b8cb153d864e17c86b990ac41553e4c

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
96KB

MD5
71989a71eefb89066083b38bde0c2aaf

SHA1
b2bf97dda9261bbd841e509d588e0a59c3f5581a

SHA256
ac9200d5f6d3ac98519328fbf471ed681f102ab59ea69bced31137bdf22b4fe4

SHA512
a8a72b70465cc191184edc6459794a02c7d49ecb4b9c8b84901129c9e9737930e48983630a4c86b8f5762b2fd28f98cd4d03c0d1b90981312695bda56e25de30

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
96KB

MD5
f5ed2c3edda3b4369546a5c79f585a19

SHA1
31f336de546bdbb02e432d644dca1b5944778b1a

SHA256
3074c6d2118c03333a6965ca7ec1e4165f8e34c8ce9de78582c6b657755deb13

SHA512
4d0a9ec70c6a280c5ecada00128318bac25ca152cd1f0d680415dac2f8f7ded81ead05a3cadb49303ac5b5a39cdbcad472934ff03f0e66aaf494c073e15436dc

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
96KB

MD5
3b084dd1cfec0d05689fbcd37c6e4625

SHA1
0822b3822a6ad33e1bd31c38aabe1fe305cb913c

SHA256
1e8dbf8cef6609b7a4424b5841bcfff21a5545921c6005ae36302882fb19252e

SHA512
9ea03d7c056806ca4140c3432b40173f93dcf79da8cd1d16898fbbbcd1fb898a3476f0b9731317884cd2560eaa889d0472692e5de74aeb63417240e9f3e14f06

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
96KB

MD5
816453b2a027770829c32564f0140991

SHA1
c8b9759991f4cb2893f1d7f6ae5fb804c51d1183

SHA256
7d39b011b7ec8c9078c438340f4b9ab5c1d62568c4415a751249e78fcc420ec0

SHA512
fecea8b28ed34617c39c1c5a9840d3530057507677fb4d8542cdd0bb3a8de6da9725c36e5ebca338f71c7d4940957deb19bdb32053d1d871f5cbb6722796bcdd

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
96KB

MD5
8bb353889f3380e2efe6b32f5b7869a0

SHA1
dc6f90f9043b0c76889bec92f1535ddd4263fed0

SHA256
40431895d5d3be484d36e1f49a0950d63e9e284178215e31e8f33699c212ecd1

SHA512
80fcb83b2b6b69c929983db79a0ae2b52777d82f4318f9856b8a86524fd3ac8636a29a10adaddd00f45d80ce597a876ade17baf4a46f7dfd80b6e967292f4863

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
96KB

MD5
f9a1adaa2d3f5d82ca4b222be6e56cc2

SHA1
71cd24914034749e325ff188ac278749af69d099

SHA256
49925c7710d94577518bb209d9a67561c1e83289dd261f496134343c0b8602a0

SHA512
1f4c69687073f4bad218538b0a30448b1c81b10e22b2fdcd35d66c15af51a075ae8b49ea199de4f4428e9a9ebb65293d2c3aeed5452ad9dcbcf1a3a50d9cadab

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
96KB

MD5
7b28610aa8330354bdafe8c21ab9ecbe

SHA1
3f65c4ff13a0491cfe60cdd630c5cd649f996a9a

SHA256
7000bd1906313595159404a2887596588178f9c1221de2efa8fcb9138a068b86

SHA512
c38b3e3188de375d5f292d519384f9fcbacb468a96afe3a7e11a1984b54b949ad7afa12b071af2c6dbc418635f8c3c81efdd1876a1c7ef0c0b96d20def8e083d

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
96KB

MD5
959b4a88ecefb363c92e8ca74b8359f5

SHA1
06f980be33a621b67423f334b181209af417d273

SHA256
910e6cf9bd5047bc9865b938d9f899f33517899d8210edc254c64665d79d8350

SHA512
1dc14e19b04236373f4466105557321fac122f979860fd3af40c4a39dd6a22e669456160e0f2d358b13499bc20969d7478918c4c49fcef302e1766ee343420be

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
96KB

MD5
034555ff1e63626965a239a40b85e842

SHA1
5830c7c23e2e228a91a1a5224088cfb01c937378

SHA256
78b25c2b7001148f7ce2d567508ce8c1f2708fda0e9acbbb1877614a31fa0adf

SHA512
b2fdcd18bc907311acfeb14826b360d3dfc7cfe2bdae02737618a500b02fe9d3298a4de5013402d5896b37ea45ab5bee560e453c42b15f4d7141b2a7ddddaeaa

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
96KB

MD5
ec307380039a5e85d8d3ce0a8b0e776b

SHA1
1da174ea4e184c3f9529189b348f2f8054b72204

SHA256
bf1e1a902e590056f5f7bedb40c27caf74bc56130bc2c902095f9bf096034125

SHA512
06f68e5647b1455199c79e2deadedb0116843e99d680016bcf4f5e99a0fc9092173e4cd6f35a2ec8f08fd90e102f109d0dafb2e13e3ab52156feabb18a0f3cc4

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
96KB

MD5
32cd2c4d05bb8f6ff11cba38b2074667

SHA1
98d78d59954819790c4447e269afd823ae867d85

SHA256
304bf35acddd2c6208ac0c554f41876a1df17eb6a115b1a8a13474f9ecd7e5af

SHA512
372e47d50c8c216eaad85fe58f35610b075fa78ce293cf254b15b018324d096f7be7edb7343a2d0181f7a125a56d5e1a0e63e0ba1699b108178b2556b414c975

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
96KB

MD5
6540b21df9fa49cbcfd616b0411241d2

SHA1
adf5e81a2683c8c199f7c7002e9a890a98f07fae

SHA256
ec28b157b0cab9cd04c7d64a1ef752fc1013f9d76f992b94db58e2c21f89e39b

SHA512
f6f9eb705cb8922d6d1ae40c52a9c200022eddccfda7898d1bc48cffedea78ceb6dda8ba652d59cbc3609a5d503612aec21fdf5015447850846fef678af158f7

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
96KB

MD5
86f91b4ceaa39131539ef6f2a68e18a4

SHA1
17896247a59eec3a6e2cc6db4c04c62b8ebcacc7

SHA256
a87981485c000ca9e95094b6a0bfcde0d0d24260d8fa587d1aab2bb806daa4d2

SHA512
5ca1302ad6a5b4ced19e248feee20f0609c49790e45f1a4227d0a4aa33397290b7a285b06fa7e357503392aa9e86b2aa65ed4ee249f544f6f459df4eded4a413

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
96KB

MD5
8783bb29e4d9dccb4a5045234f635abe

SHA1
38c4b886a24800bce05e5976732d6e10ec4019e5

SHA256
add184231a7f1f758a39da5a6d08acde5295c596e4bbc158ad0e458321184cb5

SHA512
bdd5b19d8b1ccbc819192b2183480e67ccfd03b84b77a52fa2c4d140ce64de8cc078f8feaf2c567bcf8dd94b0721c0dc48013a3ced03d367466cf650564a7111

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
96KB

MD5
85a68e2fe34d3bf80209ad6902c72b88

SHA1
087b42ca0e9ba514c09310c7dcf848b495f8f25d

SHA256
60bdc9420c8c79922d4890dbc41c13ab5b3cc494f7f62168f6bc7ad7356aa4e9

SHA512
a3367f26ab5d5db6078805b92eca53a5182ba4483bdc79e2cf694794793ff015527f8b3d36786a08e7039eb3d400b3abce3314ba3143506636f96062754ea546

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
96KB

MD5
882ebec6968c159d0dc18fad72865359

SHA1
6897764e4eb5690a118c9433d50a4204c2d53f01

SHA256
bb0907c36fa5eaa082e56c42b03275221fe4fe1bb48e4b828a188aa87eceadf8

SHA512
2393e1e699e3f3ff07240c4b3dbd3298a7895adb43141cc0e0ffbbb5c37e6e21895c61185c9b49024ce1b422473256fb9af63f6e82805add43184b703ba7f2cd

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
96KB

MD5
3cdde0807d9b63fef70b8e8b229114c3

SHA1
7b6c80ce248980a9ab59f86b47e5cea2df3c58d9

SHA256
f14744601ba632d3c627f2f3f75105f958f35bb2d1eee25e88285df7bb27d08e

SHA512
ae0d9e37d0d6bb5bad3fd0fbd091fb1426def7c0022fa165e616a17ee90bd47ad4e1488ef8010cbbc37e070def838eaf00681bdff5215a0cb434f558cb01081f

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
96KB

MD5
c7356fe2319025b339b0756ab8dd72b4

SHA1
b7ef8315bc8661cd8a85a598feda11ff3760dbf8

SHA256
906c0bbead8f01ba5e994121e098cdfdb5355b8bc516bfca4b2cb65c188d9ba6

SHA512
b9ef76e966556057db280c2144a491af1310e6848d622b296e94c0296a4825ce5bb090d387219faadc831f6298eb66917b3bcf25f30e1ebb7cee391837b61132

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
96KB

MD5
3e85dac25621f64ea8e61d4d56048a98

SHA1
cff45116acaccedb66293e9414f7960645057f38

SHA256
e95dbbbdca88fa782081a9efa7d8e7e43d04c4d1851e734180d163dbb043c66f

SHA512
0e1f29011a810d5617765a38b2678e9bd3cc0c2f9a4699602b720d0fd0115979e97424d01c7d47075e5418c62f2f4c59a2bc99b86ceefef0fc78fbc785516af6

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
96KB

MD5
9c8a9f7fa36cbf8131791d78f87f2f20

SHA1
cc796773c845f518d3c0e4707b84f2875e13b35c

SHA256
42b7f779b8a4ba0a6b73459ede0ee8d21ae896926f807df460b56a93a60ba57c

SHA512
71751ce590c1c96f30d9f8b918d0e92d77312a2eaba38804de4b16641f5713a392a53453cb51efd892fc45e3dd31a3718b4a8b1dbd1723101c12ae8509d57c79

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
96KB

MD5
bce06e57e5cc5ac1ef998a5d8d67a1b1

SHA1
21178bcce016593503a0903bbc6ce9f6b4329e87

SHA256
506043cad3f97feaf51b00206e7e09875c4b7bd8b4dd87f6a3e3d8b9859ba737

SHA512
0e9bbe6c6071a40ce4ab75f8e415552b0e6afa7eab5a3eac30823162c3003f7a268db6f70df150e85893ffca7e112b1943dec36fdd0971f17cccf47d67d69e4b

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
96KB

MD5
c55b628012bb77187c0870fbad68dcd1

SHA1
3eb9c47bd4ae058690666c59cde029af7532e2be

SHA256
03df7d6943a7f66d6f0ba882d27a0a4503df08cdcd38fccb868435fb4c13ca81

SHA512
f856ba48656bc7cb2770b37c1dc1de66f346c80a5c805004f8cd0eb98cb386a7c3452135b74caf995a13f716d4d7f09cb2723235db05c9953214f35d8513ca7d

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
96KB

MD5
3d67c04519e9b99ed2f4234fc3ceb08f

SHA1
0bf0d4a60b350f0ca50da4ad1035444e03557ca5

SHA256
69208260a06bf9fd70ead9e484dbeadc6cba1666cf4f108c958793a4c9eac6dd

SHA512
794a05776de0ecd5b755b60894b07c17138fdb038932ee7ce33b5f6dd969846582a205cede88865f8c8d5bdd82d6723c4027afe6f0bc5d9f30f9d8eaf54247bd

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
96KB

MD5
7ef8d2d81783cb22eb9071fcfddcf8a9

SHA1
9ac99fdefce7674268427e3583d68edbeb595b09

SHA256
d6fd28c349eb3c22e389eea2c8ee0f51b8ef878dc48ae06a5e1b410ba545be18

SHA512
700a6263c5d8e3c99207bdfa9fe2da9944953fdab55d83a87a70e9f4dc487635574835b9d1bee62377cad283809ab92fd471353a8f359345abf660aa57998495

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
96KB

MD5
2642f3d5398af2920fbbda0426ba2849

SHA1
88b415e1f19daa821a829b39dc81271b21dfe4d1

SHA256
227600c18119d41984b67a09011ae9f4e77955bfeccb356fa53bbe3a4997c7f7

SHA512
d10702daa474cb6c5e6c0cfb44237bf9c526528b8a2700a3491e15a4016f5df1ae852fa0848727d5aec406b3254468017f5cac1b5d6f0698832ddb30401d75af

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
96KB

MD5
83ec239e4d0cebf563355b94cc9a191a

SHA1
353cd2d33f7533de2a83e86bae771411e8b57840

SHA256
6375aaccae51768a257708b72c15d0b973969cc59e3265351dc65021a6179e7b

SHA512
5e68ddf1bc546b85608ba00de2fcff538c0437f333ca627d9b24c14cc1d0a412750c3571fce06a25e13e73db4532cf31426ef75f1eb95d7caadd7e92ac018125

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
96KB

MD5
85b8e3c841952a329ce4c484846a1524

SHA1
11530127f5c77be01f8118fe077cff9bbc052430

SHA256
aba6e9eaa23c76aba5994d865e8615beb794d07749d32bf7e940b9d1f4f67a6e

SHA512
ec90f3682e86ae1622e78b001082217d8fc84f639161966fd6d2ff44bd2453b782998640d102dfcc6b4c2473fe9111c90f20f74fc800133a7e6a810959626b02

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
96KB

MD5
3ff6b1530ad8fc4a2036e938957f6c80

SHA1
6b0903a2b4bb8c0a745563b576ae739cae150420

SHA256
1f3bded8087719012a2a1c8646795ef92cba90383def9d52650578f0e4aa3434

SHA512
33456eadd1bc718c85715090e92dc61d318309b3f05ea6c7a9c0f6981a66a12e4f088e420110df78d319954127ae02b797cae29b4b9931ce60b1feb339b790d9

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
70901c615d9a0931afe75db083cd5007

SHA1
cc22c22f0342ee30a24049a96905bd610c25b482

SHA256
3e1e9ad3fa35c61e41d085aea6e4e1cc24a293e3cd068cb3dbb089e0f0a98896

SHA512
1cff93dca8b1966cb48a2a809e7b124ed4def49a58c214c54319a209ef6e67628452e69b58e35847fd03da1009034304384a53a73bb672ef2d570d54963a8644

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
96KB

MD5
8798e738991c1d8f1378e1b485a26806

SHA1
f4b3f32a0d9b123053cbf2b8f1174311164003db

SHA256
d9f31d4b578f9b4ebac343f4ad7d496e60f27fc9d4e721b0778540ad27dcf1d7

SHA512
b4487e1dfc6f16b46711292e773e1bc90c623861befcc66136cb91f22ea8059c63e38902caba724b99e3081b16192e477f4b747642ad82d3779b7c8523e961fb

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
96KB

MD5
e67174548e6b919e813027cf87a4bbf2

SHA1
feca46828770ceb81c562bfd1d140667e566bb45

SHA256
ae38d017131ffd5764db7c22491eab958cdf364e47a72f0ad794bdca3c62f2ac

SHA512
ff60a05350cee0515125be1286f13833ef16f314aca1fb586780d375f8a8e85704aaac75f6a79143ddf31873558a9cb4eaf30832a76afac747671d4f195c9196

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
96KB

MD5
ec3b2143ad88e0d13d92f2a057a9b292

SHA1
42a8b861bb33091b7c138d5af64d7d470ab0c6b8

SHA256
84ab733b21caa5ad5bd5661305fb5b3cd8385b502183b64f1519637ea0ed5a2e

SHA512
704c3b1b993ef69e575901ff0b93e9efcbbdbef96c27e3a745113a3435713780913332648cce23116428fa8ad7ffbb0d9c35cdb1a94c711b75fbd1a71b17759b

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
96KB

MD5
80a26a28af347a6cdc9256772b1f2dd9

SHA1
16d753d9c6a0bf4227c202047b36d560f42ce7ec

SHA256
d86bc7a8bc283e5e8a06d4933b459cc3c1b5a342b34beb0fa19abca5823e68e9

SHA512
57fe19b76974cb28708a9bfbb564d325eb07aaa58a34d75cd9f072cd914a99fe3b2043d3259240ceff22cfe50fd23f6716da09d185414cbb95abe5ba27d361e0

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
96KB

MD5
662654261071f6f3550c73e695ba2954

SHA1
12f87238aebc755fa95379e60570088a6a45470b

SHA256
55e65221c69d18cf59da7d528ec3de4801c1940abfa444f6c3472ab5169cfc4e

SHA512
37970656ad5ef2fa7618b8d4ae66ce5d866cf18c6b2ee4796da061e19ae7d3ee9e29bf7fde142a13e17a03f163d535ea1deee7af64bc5f51074bc96beab40be2

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
96KB

MD5
fafde8880e8d72013bf1b05d13756fed

SHA1
fdf44a4a490c37af6530349ebef10e7ac83f80dd

SHA256
6da07250f552bdd3439f1a1e59ef9748f8e5f02ae69428dd42a5db29f9d18386

SHA512
bdd5475284c7f796825c1db848d613d84b8bdf1ef066e6194b5a69fe8265e8765ca5d6a334c1ed4544481449b952955b73ccc42540ddf283e157b2349db0c26d

Download Submit
memory/368-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/452-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/456-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-273-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/740-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/864-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/864-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1220-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1220-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1324-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1424-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1464-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1620-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1620-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1776-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1864-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1864-271-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1908-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1988-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1988-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2116-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2188-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2188-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2224-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2768-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2768-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2804-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2804-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3084-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3084-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3784-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3784-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3892-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3892-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3984-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3984-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4072-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4072-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4072-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4164-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4164-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4204-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4260-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4260-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4360-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4396-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4756-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads