a3500cd0a58cf9337f48b66d05b6b17b24d8d0aa48cd4ead58c68f5ab341a514

Analysis

max time kernel
132s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe
Size

203KB
MD5

e6f3c7088737e03bf31128416e42df90
SHA1

dc3527b583a3c55a8ae62b636387468ee73a3a8f
SHA256

a3500cd0a58cf9337f48b66d05b6b17b24d8d0aa48cd4ead58c68f5ab341a514
SHA512

c109fe3ac9da1b4ef932affebd7731fb3321886e0a4d4f05ca42de0e5ac1e732af7e8da80c895ca1cceb16a9bccd0900e1abcdf1d3084805f1905a4742f2c2c3
SSDEEP

6144:K5wW1K08BtnJfKXqPTX7D7FM6234lKm3mo8YG:fW1ngtJCXqP77D7FB24lwT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe

Executes dropped EXE 64 IoCs

pid	Process
684	Gfhqbe32.exe
5088	Gmaioo32.exe
2936	Gppekj32.exe
4720	Hboagf32.exe
380	Hjfihc32.exe
3576	Hmdedo32.exe
4768	Hcnnaikp.exe
4468	Hfljmdjc.exe
5024	Hikfip32.exe
396	Habnjm32.exe
3416	Hcqjfh32.exe
4576	Himcoo32.exe
1156	Hadkpm32.exe
5028	Hpgkkioa.exe
3432	Hbeghene.exe
4904	Hjmoibog.exe
3852	Hmklen32.exe
2672	Hpihai32.exe
2704	Hfcpncdk.exe
4296	Hibljoco.exe
4908	Haidklda.exe
4824	Icgqggce.exe
5036	Iffmccbi.exe
3644	Impepm32.exe
2388	Ipnalhii.exe
4868	Icjmmg32.exe
2128	Ifhiib32.exe
3212	Iiffen32.exe
2108	Iannfk32.exe
3100	Ipqnahgf.exe
2892	Ifjfnb32.exe
528	Ijfboafl.exe
4820	Iapjlk32.exe
1748	Ipckgh32.exe
2188	Ijhodq32.exe
2528	Iikopmkd.exe
4256	Iabgaklg.exe
3512	Ipegmg32.exe
1656	Idacmfkj.exe
3952	Ifopiajn.exe
1212	Iinlemia.exe
3060	Imihfl32.exe
4380	Jdcpcf32.exe
2400	Jfaloa32.exe
4476	Jiphkm32.exe
1564	Jagqlj32.exe
3980	Jpjqhgol.exe
60	Jbhmdbnp.exe
1448	Jjpeepnb.exe
4116	Jibeql32.exe
976	Jaimbj32.exe
4304	Jdhine32.exe
320	Jfffjqdf.exe
3984	Jidbflcj.exe
4316	Jmpngk32.exe
2356	Jaljgidl.exe
3860	Jdjfcecp.exe
2144	Jfhbppbc.exe
688	Jigollag.exe
4536	Jangmibi.exe
5004	Jdmcidam.exe
1404	Jbocea32.exe
2884	Jiikak32.exe
2544	Kaqcbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6352	6256	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 684	4988	e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe	82
PID 4988 wrote to memory of 684	4988	e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe	82
PID 4988 wrote to memory of 684	4988	e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe	82
PID 684 wrote to memory of 5088	684	Gfhqbe32.exe	83
PID 684 wrote to memory of 5088	684	Gfhqbe32.exe	83
PID 684 wrote to memory of 5088	684	Gfhqbe32.exe	83
PID 5088 wrote to memory of 2936	5088	Gmaioo32.exe	84
PID 5088 wrote to memory of 2936	5088	Gmaioo32.exe	84
PID 5088 wrote to memory of 2936	5088	Gmaioo32.exe	84
PID 2936 wrote to memory of 4720	2936	Gppekj32.exe	85
PID 2936 wrote to memory of 4720	2936	Gppekj32.exe	85
PID 2936 wrote to memory of 4720	2936	Gppekj32.exe	85
PID 4720 wrote to memory of 380	4720	Hboagf32.exe	86
PID 4720 wrote to memory of 380	4720	Hboagf32.exe	86
PID 4720 wrote to memory of 380	4720	Hboagf32.exe	86
PID 380 wrote to memory of 3576	380	Hjfihc32.exe	87
PID 380 wrote to memory of 3576	380	Hjfihc32.exe	87
PID 380 wrote to memory of 3576	380	Hjfihc32.exe	87
PID 3576 wrote to memory of 4768	3576	Hmdedo32.exe	88
PID 3576 wrote to memory of 4768	3576	Hmdedo32.exe	88
PID 3576 wrote to memory of 4768	3576	Hmdedo32.exe	88
PID 4768 wrote to memory of 4468	4768	Hcnnaikp.exe	89
PID 4768 wrote to memory of 4468	4768	Hcnnaikp.exe	89
PID 4768 wrote to memory of 4468	4768	Hcnnaikp.exe	89
PID 4468 wrote to memory of 5024	4468	Hfljmdjc.exe	90
PID 4468 wrote to memory of 5024	4468	Hfljmdjc.exe	90
PID 4468 wrote to memory of 5024	4468	Hfljmdjc.exe	90
PID 5024 wrote to memory of 396	5024	Hikfip32.exe	91
PID 5024 wrote to memory of 396	5024	Hikfip32.exe	91
PID 5024 wrote to memory of 396	5024	Hikfip32.exe	91
PID 396 wrote to memory of 3416	396	Habnjm32.exe	92
PID 396 wrote to memory of 3416	396	Habnjm32.exe	92
PID 396 wrote to memory of 3416	396	Habnjm32.exe	92
PID 3416 wrote to memory of 4576	3416	Hcqjfh32.exe	94
PID 3416 wrote to memory of 4576	3416	Hcqjfh32.exe	94
PID 3416 wrote to memory of 4576	3416	Hcqjfh32.exe	94
PID 4576 wrote to memory of 1156	4576	Himcoo32.exe	95
PID 4576 wrote to memory of 1156	4576	Himcoo32.exe	95
PID 4576 wrote to memory of 1156	4576	Himcoo32.exe	95
PID 1156 wrote to memory of 5028	1156	Hadkpm32.exe	96
PID 1156 wrote to memory of 5028	1156	Hadkpm32.exe	96
PID 1156 wrote to memory of 5028	1156	Hadkpm32.exe	96
PID 5028 wrote to memory of 3432	5028	Hpgkkioa.exe	97
PID 5028 wrote to memory of 3432	5028	Hpgkkioa.exe	97
PID 5028 wrote to memory of 3432	5028	Hpgkkioa.exe	97
PID 3432 wrote to memory of 4904	3432	Hbeghene.exe	99
PID 3432 wrote to memory of 4904	3432	Hbeghene.exe	99
PID 3432 wrote to memory of 4904	3432	Hbeghene.exe	99
PID 4904 wrote to memory of 3852	4904	Hjmoibog.exe	100
PID 4904 wrote to memory of 3852	4904	Hjmoibog.exe	100
PID 4904 wrote to memory of 3852	4904	Hjmoibog.exe	100
PID 3852 wrote to memory of 2672	3852	Hmklen32.exe	102
PID 3852 wrote to memory of 2672	3852	Hmklen32.exe	102
PID 3852 wrote to memory of 2672	3852	Hmklen32.exe	102
PID 2672 wrote to memory of 2704	2672	Hpihai32.exe	103
PID 2672 wrote to memory of 2704	2672	Hpihai32.exe	103
PID 2672 wrote to memory of 2704	2672	Hpihai32.exe	103
PID 2704 wrote to memory of 4296	2704	Hfcpncdk.exe	104
PID 2704 wrote to memory of 4296	2704	Hfcpncdk.exe	104
PID 2704 wrote to memory of 4296	2704	Hfcpncdk.exe	104
PID 4296 wrote to memory of 4908	4296	Hibljoco.exe	105
PID 4296 wrote to memory of 4908	4296	Hibljoco.exe	105
PID 4296 wrote to memory of 4908	4296	Hibljoco.exe	105
PID 4908 wrote to memory of 4824	4908	Haidklda.exe	106

C:\Users\Admin\AppData\Local\Temp\e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e6f3c7088737e03bf31128416e42df90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\Gfhqbe32.exe
  C:\Windows\system32\Gfhqbe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\Gmaioo32.exe
    C:\Windows\system32\Gmaioo32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\Gppekj32.exe
      C:\Windows\system32\Gppekj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        26⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        30⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        31⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        43⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        45⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        55⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        64⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        66⤵
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        67⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        68⤵
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3848
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2668
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        79⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        80⤵
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4144
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        86⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        88⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        94⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        95⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        99⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        100⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        101⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        102⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        104⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        108⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        110⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        111⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        112⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        114⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        117⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        118⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        119⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        120⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        123⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        124⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        126⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        130⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        132⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        134⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 412
        141⤵
        Program crash
        
        PID:6352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 6256 -ip 6256
1⤵
PID:6324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
203KB

MD5
9f6c0825b431496697e7cec785f5e3f3

SHA1
88062ceb2c4f7c64c6bd70d457dbb353933d2ec2

SHA256
bd296624b5fa5d614d9ce9069d218e01ec1e35ced3afbd6506161713b3bb0349

SHA512
ffc40e2025cdee645c694099b9d100cec2c41191b0820e5214a2448ad4c50d8b92407a0cf75396c927e85e115cebef9e821838f87026003525982c0a9d4186c2

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
203KB

MD5
00e83cae2364062f8713ff8e12eb8cc6

SHA1
9bc907723c5c4384d9d34df52ebc2c86388bd785

SHA256
73e2a5ffd5ee879bbefbdde2c105d16613eb118d8ee10bfc40584911cf1c8d1e

SHA512
bb3366fa37e1b2ce4e7444c03960b04ed93763597fc31c7ec719a49eb3960badfbf2c333c5903ff8130adb2b8971f19b0dd0173ba334a77204871599521445ce

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
203KB

MD5
7f40bfc76f3d4289bf36cd0ee42a5c2b

SHA1
0d7aa16680881a0c7e4f49adf410c3057b15b1ac

SHA256
11787130937843557e828b1171caed8928eb9c1d86414164430c98b9a20c187a

SHA512
0cff8be6338fa81e6ea9240939b6825cd85fa24f86df20843a528b98a4224ac774a59e57f93b27ff5721596b48ebfa7f75856c008574c57b2caee352fdacf899

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
203KB

MD5
f593386c4ca3bbaceb9a7bf835445bdc

SHA1
e2f0367da09b91508e417b916d500644e8750d16

SHA256
90b2da5a9f837cb97893ba3e776e062c3729a94334dedc06f943a881281d6cec

SHA512
a250989ddabdfcb8d408b09b72f4dce282c0985026532cc5ea91621e1c610e91f37ceab89c4d51638399c3bb2fb94e4644eadc095a6d670c1c5521e696c4b043

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
203KB

MD5
91c3152255b5b261105cb8dde9f27019

SHA1
81431930c8883c22a6f1bf2eff9216f9fac2fd58

SHA256
f930e421718f1e308e9faf4feda03d14dcaa640ab92037a8ce36876208bd809a

SHA512
99e56d38dda641805f1131246ee9f2ad9c2b7fb45f37b51fe1ea13603c489402b9e4c1913b1e30c22b7d3838cb54859301e8501b2691937d12cdabb4bff9201e

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
203KB

MD5
1961376a4fd54fc81c08f7660292f68f

SHA1
1930896c4b3ae62b8a7cca831120aff9f5963c39

SHA256
bf9f713b716f4f4dd1e729fad4fd6a3f0942dfa956ae60f94e79bb6abe35c7aa

SHA512
782585b42a96b5649905a9f9c2fde7eebc2399cf637e4231e4bc0e0886215fa3c4b8ca185d7db361903db81a0437d2c45ed20225623178c390c14950b9b84204

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
203KB

MD5
3f6be9e3603b1821670bbc7060248d20

SHA1
4b479197608db2b5a46eb65cb5bdaeca56275a7a

SHA256
81304b4f0163e08ceac361a89bd09ce1f97e697f889004a6667c1ba7609fd010

SHA512
4a33afcfc0c3787768bf55ec2c78b7d71e9b6d48e99ebc5fed841f3b9a279589d3dcaa786a8e289ba157c36abbc23b89df1ef9199d68ac9a4618c72e3875ae6a

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
203KB

MD5
f31b808179b43e356e06005f264854ef

SHA1
1f817bf7c46ac9dde13f947dbda97360e5ceb32f

SHA256
a00f5472c3d17f3063f5956e714ec57ed6cc6a4709f0f149175aec7df7b0de6a

SHA512
0327e82cb2c06c6e9afe5806456d9ae3e96c1e63e8096cf8cec186669049f2db7558c44eb2caf4b7142e3cf36e926168ce84e870ca63aa702ed25d03f1d6a5bf

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
203KB

MD5
ed8c392fe8446c733cbbfefd3ec7a78e

SHA1
4238dc566b7d99b5bd713eab20629c43272c80cd

SHA256
4fd9e126aa01f6110ce754f44ead1524f643efb538a82fb75d51cf7dd7e9e6c0

SHA512
4f865138f2daf13d3d59fc83fc24d9b83fd861afae43f0b91d630fd3874320b01a20f029b717a6ba0eb2fc8dfd5a0a4c7d3ea1db04c999c6668f576f702701d6

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
203KB

MD5
647e4f18da5eb58e99a7cec35225be06

SHA1
c77aa50676cfc15172ddc7b79c533b190821e53f

SHA256
b7717b13ee5f49cb703a2bb3cb0fb87b8328da1e8b00a6d4d3c188aabd58a803

SHA512
ecf4eeaad17eaea08d827df568df4db376ff83d11d53198afcb3ca55e79c7ac0e74d9ade87611c2925d1fcc6fedc6c4aa066bcf47b7fdf12a53b2071f7703c84

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
203KB

MD5
3c91faeb0f25e992035b835ca6a8e4fc

SHA1
463086b9df90edc98b0326caa98a7a4cbadfc002

SHA256
187f2a566bbaa5314d31c81b0780b7bac40de48b6f8366f914bc21c33da0b752

SHA512
48b13eafce9441bc8a260feab29f6dde4d4c9c76be7ebf3849b622ba98c12ea8a9758e27256256037c9f11beab98e618fd960682c62bf196d422fc6a40065a02

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
203KB

MD5
2c58639cf1b2f121d5085c2f6c45e8d8

SHA1
767568cda34102951b59cac1017678268db28a0b

SHA256
6266b4049be0c8557e2f32846139e49b602c50ca0ac29843be12a11b87ad6597

SHA512
ef4eb49ddd67ce7facb6128f33113a2d43aa44990715571552f307cb56049d4c3b29b868bf9e69fdc93376f13bc5236bc4033d8b6a16a4538959fe6bcf3a986c

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
203KB

MD5
295c210fdd56b69179fdc63e060872f8

SHA1
82a8818798097da80020dec80cc631f36d55dc4a

SHA256
d85bb28c2e473c7a3bd9f17f837e0be8d534f2d582398bf7375b33fe9b154f8e

SHA512
22069c2fb0f9f9401eeb4e8408ad77b9bf7b61b3330aa444ac6fd6fd5f86f6725147cad2cd739e7385fbb89b470d308d5ba3f25a08568efec194612845f48100

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
203KB

MD5
869416a64468473e7bacdad2d36356b4

SHA1
a1a7381f08fd23421b43ce05f6a276a139c2f365

SHA256
890b958483e24cc2ffb6dd0cd3fe7ad3d6bd335ddca4e5982e9c2304d23aee78

SHA512
8907920e4e76e5ec028e76092727325cd967a95907617cb7df6928826edbc0a0a7e0fc8fa5642e8fd866ac114cca4bf2ef2a86ab2833484aae0b285332381624

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
203KB

MD5
16594d6ed2da5cadf577b1e80fbd3487

SHA1
8d516bc584b4775844a1a527275e621956ad709d

SHA256
4499fb6407513138495ef9b32b197e4d3f2ed07378aebd26be191fdde458e71c

SHA512
9dcf15833e738f3c784a66585b2c86e8c4631556b478b256b801ff9983c5ee1c4051e405bee7b04861bb7b489f7ca93f5197ce4087657d33ea176854f61a644d

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
203KB

MD5
dbe96ae912273c2f4a44096705f3cce7

SHA1
f1d99c982d86f1710665d5cb0fb720ebae1f3356

SHA256
c8f0c3fab9933b1c70b03178c8ebbf7d90a2988df73e00dbc7b24957790cd3f4

SHA512
fa2f316b9c37c6a8f87a36545b380f7b6f7ebe66cfbba95a8427581b3f40a756fb75935b475e23849259a9fa083c06b2017561afbd4425b5fee283ae1401e70f

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
203KB

MD5
4d7deb44763b33674553e6b387b62282

SHA1
c2d619b3dbd2f9a35a63cbacb05e7bab2f16f478

SHA256
2fa8c15236df3ae52418812d0479603a37f98a7585d91ee3ee996f69dec14f5a

SHA512
944890f93fe444a87558c0516c646f430dae36cb0dcc18511f80628937538bb6d80885450937e75a0402ecae0efd51d50c4118482c811ecda4f05680c53db2ba

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
203KB

MD5
7e4e14c72486084abdf452736bf9639a

SHA1
adf5586cf10ac024f57bc25d69b80f169f7e02ab

SHA256
a487cd0ec4e103bc479f7877e761b8fd7b7fd7a4d93f4f0a234a779e624a2b66

SHA512
1ec755e4a578ef8b5f8dff38237cef72d0801e9ece18af87f1c759c8faf517544f3ed9e3fa269b4493363757ec0befbf257f685da0014985c72ba3991cbef41d

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
203KB

MD5
0eb7565a476431c98b5b1e6cb8332e06

SHA1
29b49aef5b991fe6fd11c89da5a1431250fee7e2

SHA256
49c0cbea950820f4fc20121afad6dc348af5666bd1e8f4707f9150cd8b9ddb81

SHA512
6dd84b4cd6a2a72ce1fcc731f07ead87c83d121ad0569fe23724f5c996650567d446a8749f6981d8641b913c9552e844346e7e1aedcc6bdcf88d3472f7c0cd88

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
203KB

MD5
f551781441455bdc8e385e27bce7b649

SHA1
33e5bdd54cec2dff0d4209020b68320e4b0199e3

SHA256
a2038957af4828cfea5f5b16f187a30d3ace56e3c5999691803e5cd3b89e6a7a

SHA512
d74bb3affd41c12210edd9fad9eb68a95fd658fc069eb9ca90958f7ce6bfbcf134821796762975efe8e99c398757b03aca8d8d28b006192d2c1acc1154c1a51c

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
203KB

MD5
af2cfe8cfedc68b4d841b44d42b3f2cb

SHA1
cbdf2d782a86fad713cbdc14b2b9d8c5972034a4

SHA256
cea439afda71cd5391767b749cc4b61ae7b2e1e121c197de45580f9d8b5a9a48

SHA512
82d69bd199f80377b7c2ebd5476929d6331174c248138260fdc3e9b791601a1c2bf09464b7f640bf94654a2887f33a79571e7a31c342495201355097ac82c740

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
203KB

MD5
eb99593bbb4a6e00d368b667211a9aeb

SHA1
4d381d70982ada6164759f9cb777fbf33edfe47b

SHA256
8938c97a72d9c51f7dd3a53097cabfa647dcf1e529c4bb7eec603635bf459e06

SHA512
b5e9ef401dce260aaef01820cdfdaf13ec0a1089a5bec388535433aa80c187118388d82ace36110be8b73364cb4f1cba2cbcdfefe78086cf3b49b9e1c666279e

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
203KB

MD5
ef3c13333dec460496b1010c07be1c7b

SHA1
0842042d9af4e9920038bfeb77663d9715d21cb1

SHA256
aa8f0f97b2339b8d17a3ef5ebcc1b988ec99675c2a5708774b64b942c8309a74

SHA512
cc87e59a22ff3695ff61ff094e82a2d37e389db74fc3b4ae3509299e0ca4ab5ed00c47a0250b64bf1d001702b9620bba39420fd1a63c36c08c3756963f71df58

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
203KB

MD5
2e9308a7e9e3467857803bc275b0a476

SHA1
fe0af3fd380b808fff6a66b6f6131cf4fc2ce9a5

SHA256
730509fb1a687e010f973c17cfb5dfa3f2ea1e436a9dd3f7ef4b40eb79a7241f

SHA512
96c86913933df40bd6c934735a0faf10c4562265db7037b9bf6fa2a6c29af016194e2c7a7a911d09bbfc7eef5bf4bda465d87737d16a56a31b85a38aea78e047

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
203KB

MD5
6fa2dab949db01cba576fd01c05c55c0

SHA1
000ab4c3f10793feb1134d94c66f0d6179fe1916

SHA256
f034c35d1f6a0ed7babe6662bbffc308d8e5137519e917d8e0666445f864de77

SHA512
e923c3c0419e3c11580323c3ab68a099182c53cc187bc1e08956ba0ebea1ee013689e3c626eba6444f628386c2c5bd2a9922b12d1c624dfb3160ef0af4f57e1a

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
203KB

MD5
29e50415135c026b5eba6df6aca3ccce

SHA1
1b162420c81adfe7f5f397df53f7686faea3f697

SHA256
0cd63bd71a9b20cc6f5bf8f8d37ce8a365a62ec616bb2ecb92bc1991e5eb9e13

SHA512
bb339073d895660587cfa873338bb0efb2605e4d1860016ee1dbe9d43051769219dd066f5e1d1c5296f2215ea060d3396cdcddf7b67a3fce97a9ca666c91a892

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
203KB

MD5
2911ef6fdfb29d7e43c95727081dfa0d

SHA1
71ab97319b7f61cdb02c626bd32961a79bf87991

SHA256
1614ad534c3f84f63fc3b2aa53eb66f1c69a337a156289a39f4cf83a478807fb

SHA512
88de7a4463b6973bbf19498349ece596e0fcc8f6982cfe7461dc6a2ec9291c0b43f158654e4ef7353a969b7700c4ea6649d2822a4cfa1d770ab2c1ad4a0953ff

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
203KB

MD5
7be38262a63f3258ac3930ab801e112e

SHA1
16f695ee630244cd7b5fcfa6a790cb85c2c951f0

SHA256
e64ff127b63eb19beb61614251c01dc3348be79bbc520341fbb64ce1a0d5f4c6

SHA512
cb519e38070278aa8b1e76f2738238728745f8ab18382e1f6b95cea9f865755501422e29106403a82fffd9aa18a01424da0778d530b18fdeaaad96bfa4095e57

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
203KB

MD5
3530e31d8bbcc36099a23bbddf42d18e

SHA1
26268f94bc42e3e7cf9f55ed1e61a2a6b650fb26

SHA256
232fd1776e020827a367ab56a8f6648d8f045d3bf5fc0efcda16b64b2effe9dd

SHA512
5f6f1e08104d611fc6cf1745fec9a1e3d4f551dd4f69a506060790f092bfe89c3b42b688fd3f01cbf8215d5ad83750d0c8e66d2e98a6ec87802c3b830ea1428b

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
203KB

MD5
34784d159a2d57c56c49b2a2bde02704

SHA1
0fb1300f26540c762e272e66bdfdf4f9cd62e4f8

SHA256
186595fb77f58a4a11ed61a0a6e1e1ea39cf66e772f9ef46b37d0f2b5cab9d4f

SHA512
6629aada9ac1f4a9553d8c5a88d25578860020e52ba29e2370fc4874fb462c13bf148330efd0f43b6301108a10194fb25a88d4617ed99924de0027bd29102c14

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
203KB

MD5
3a5525373e4a272aeea255bdd7dfd570

SHA1
c20f862d67567ba7b62c4ac5055a79c9be62a5a4

SHA256
956db49c37158499f185ee88c99b6f7f9d79dad4594930b7e5d0579022284830

SHA512
7545f57a4b3b6ec7daf6595a3c9c30da466239bafb783ea186880e3e1d5f374c3d2cc40ed892d82aa74ece0bc2cd5092de54da1d795fad1354ac6d5fe0df1a91

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
203KB

MD5
e368967c860f162c0959ccbad91e1f95

SHA1
c58eec475924a6ec52e993beac2cdefeee124425

SHA256
05cff57577b5b6ad63e46e5bf48073373fdda15f7d1d541747aa1e7c9fd926e8

SHA512
a86c52641ef85b6988f27fbd5addb2d4e2b76f1b539ec22794e76971b5fcb11a39925c149167bccabd48a9958ae21b748ad9f34d05cfe014ff18ebec21f6dbd2

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
203KB

MD5
8548daedd5f8a1e610e787966da72e2d

SHA1
12cda2ce7727971931104d037c28691a55438515

SHA256
87184c70d2d4c4cf4e0c7fe18e45f5278300d2db178d2605518a9efe85dfd701

SHA512
70f7c345e8bed22d73c21279645ca54375ca26a2a80da981a73d95c1d5f9175817193cf83685b9ae5b446d56e4248bf165480b1cbd3f7e5fd0c0ffa92c5e935b

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
203KB

MD5
d7ca399a3987a6000952e9d124ed2ea3

SHA1
a69dcc7bfcfb0bbc14331f1a929d714ce76697ee

SHA256
5407b5f593ef5923f1e76437d14a6bd36dbe13338321ad63e0be9132714b9543

SHA512
ff1a70d1b96d283b112ccd50440b5ada843f34210a72984aad01167162117cf2369581839356e4c7a86ae07247c148d384d1d37f853d2a081a1ff5f5b8783a6d

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
203KB

MD5
728a971bbb9b8ce360c291f41c873fc4

SHA1
bc13d2aaca13e6fba0658dfe0228a48168e5749f

SHA256
c222ff13683642cbd4189fb724c6d5124c1687d9e8363591ce7ea516997548ce

SHA512
85fa8447a8f9e1fb9c65eb755423b0ea613432dcb2362db963d195025d1122800b509463186f0288dc6d64c606ac2ca9dd41a028345836ee7752968552290a67

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
203KB

MD5
e3d6a41f35b90e8ad1ebcb86825ba00f

SHA1
3bd4cba6879a5337ebacc3856f031c242e2655ba

SHA256
27f7e32f0eb78e108b7d03307cc0d233dc633b8dc4bf67e224f036476e1ee760

SHA512
4e73d962ed8f91c8b8934ce4fedc7717b6c22920c98b001e171c6b155874392a9a4030c3feceffd06ec2a33b069df90720d6696810661aedf7c679a69b1ac325

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
203KB

MD5
f50597e21972abf2571f9c4b9fe25954

SHA1
f4f6666e82a7e4ece961d9079d5c348293e02ba9

SHA256
90f4cdae5345e59c176c6c2ebf96cfd03be7dcf0cf8753c73dc60e7a22b4d1df

SHA512
e285c2cb567177b4676db002e968a37e4739ca25e778001165bc3c548d1be876e260b65220e2fcc6979394c4be06ba34e869d1354cb66712eb20abd23af2049d

Download Submit
C:\Windows\SysWOW64\Lgabcngj.dll

Filesize
7KB

MD5
ed58ce142e346461b003557b98fddaa8

SHA1
5702a9386c3cf302559f2d7d31d5c885871ee765

SHA256
d4ea4ca6de88777868f9621425456a8eca0cd5e62de03ce7a0d17c0c7303c967

SHA512
c596a77631c001092554e017f620fc25b4a9b33628a04a814bc1de63d6b1253e6e73aa61cb6eab4a50928fffb7476b30f66b640a53d82e873d89dc68ee7e87a0

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
203KB

MD5
5e45dfd766f1f7ac6bd9891c91905e09

SHA1
e819255315d72f4d8dc793a6ec0a82f41b56c92f

SHA256
9af72d74dd6270e85805f1d356888662750dcdeb75f87b82ba414ad110cec365

SHA512
d9f823f0ac881ca4f9801f3cfb6c27d7d840b743e1a0126ffa8ecab85e45ee5ecedcf9f5cd1cd70536f99cff212a0a805f99d5758e4b3b78e160e047aaee48ed

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
203KB

MD5
1806e96ab284918dd1aeac886829a316

SHA1
6651f361477b562a1b5972cac5b46be862db69e6

SHA256
cc950b867bbd2ecc6ef73123b1c3e7c5b7d4c798551e29f251dc8f490fe81a1e

SHA512
47a8805d2f28d766f8fdd69f82b2cdd4ac5b8b5e28d5acebfd1ae0b3a16f26c19a5c12dc627df6e1ca33fa1e26a3341b01be44529138dcc272f4df5773492831

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
203KB

MD5
7550fe929e2a70a02ea9f7213db2e718

SHA1
09fa5c9f61cf3541e6eb2a2bc785436c8ec6c555

SHA256
4daebf7c3a9ad6c37be4fcf8df33b2d447303d87498ea5d3326c6da9efed2c26

SHA512
c2fa912e136cb1edb6dbff16ddbcf7f8ea3cc94696c6c98838467db768190d7dee8925493da4bc959427fd273088314d2275912edf52144731cc4a2464588947

Download Submit
memory/60-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/320-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/380-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/380-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/396-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/512-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/528-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/688-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/944-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1656-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2144-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2400-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-571-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3100-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3196-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3212-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-530-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3792-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3848-477-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3928-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3984-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4012-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4144-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4256-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4768-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4768-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4820-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4824-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-549-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5144-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads