52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe
Size

96KB
MD5

e09f6e837f96ce226dcc156ccdac9df0
SHA1

917fcbd32cf81c593e54170c6b04bf1b518e66bf
SHA256

52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11
SHA512

f4ce19af8377ec9f37e62de21c2e8fcd08dec2095ed33b2fa4c148fcb0b56f2c700dd2e3b40a9b9dfa049ee0ac3d161c0e2cbfbf855a6214e39db16d97201aef
SSDEEP

1536:6v7ijCzY1Uz4IGte/S8Qvox/4f1m0wPmdrRwH8fduV9jojTIvjrH:0wX10StehL4oGd69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibmmhdhm.exe

Executes dropped EXE 64 IoCs

pid	Process
2332	Gimjhafg.exe
4724	Gqdbiofi.exe
2156	Gfqjafdq.exe
3136	Gmkbnp32.exe
3212	Goiojk32.exe
4328	Gfcgge32.exe
1972	Giacca32.exe
1368	Gqikdn32.exe
1044	Gbjhlfhb.exe
1372	Gidphq32.exe
1604	Gqkhjn32.exe
3044	Gbldaffp.exe
4128	Gjclbc32.exe
4728	Gmaioo32.exe
4516	Gppekj32.exe
444	Hfjmgdlf.exe
4332	Hihicplj.exe
1672	Hapaemll.exe
980	Hpbaqj32.exe
2020	Hfljmdjc.exe
4168	Hikfip32.exe
8	Hbckbepg.exe
4060	Hjjbcbqj.exe
888	Himcoo32.exe
5068	Hccglh32.exe
3988	Hfachc32.exe
3088	Hmklen32.exe
3316	Hcedaheh.exe
3372	Hibljoco.exe
3596	Hmmhjm32.exe
2160	Ipldfi32.exe
2708	Ibjqcd32.exe
4700	Ijaida32.exe
3120	Iakaql32.exe
3552	Icjmmg32.exe
5032	Ibmmhdhm.exe
4148	Ijdeiaio.exe
3736	Imbaemhc.exe
2132	Iannfk32.exe
2264	Icljbg32.exe
2584	Ifjfnb32.exe
1932	Ipckgh32.exe
3616	Ibagcc32.exe
2632	Ijhodq32.exe
404	Iikopmkd.exe
3772	Imgkql32.exe
1424	Idacmfkj.exe
4632	Ifopiajn.exe
3896	Ijkljp32.exe
2868	Jaedgjjd.exe
2124	Jdcpcf32.exe
4492	Jbfpobpb.exe
4804	Jjmhppqd.exe
4448	Jagqlj32.exe
5024	Jdemhe32.exe
4164	Jbhmdbnp.exe
4416	Jmnaakne.exe
740	Jplmmfmi.exe
4956	Jbkjjblm.exe
3964	Jjbako32.exe
5048	Jidbflcj.exe
4244	Jpojcf32.exe
1208	Jbmfoa32.exe
4140	Jkdnpo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jdcpcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6404	6220	WerFault.exe	239

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 2332	4744	52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe	83
PID 4744 wrote to memory of 2332	4744	52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe	83
PID 4744 wrote to memory of 2332	4744	52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe	83
PID 2332 wrote to memory of 4724	2332	Gimjhafg.exe	84
PID 2332 wrote to memory of 4724	2332	Gimjhafg.exe	84
PID 2332 wrote to memory of 4724	2332	Gimjhafg.exe	84
PID 4724 wrote to memory of 2156	4724	Gqdbiofi.exe	85
PID 4724 wrote to memory of 2156	4724	Gqdbiofi.exe	85
PID 4724 wrote to memory of 2156	4724	Gqdbiofi.exe	85
PID 2156 wrote to memory of 3136	2156	Gfqjafdq.exe	86
PID 2156 wrote to memory of 3136	2156	Gfqjafdq.exe	86
PID 2156 wrote to memory of 3136	2156	Gfqjafdq.exe	86
PID 3136 wrote to memory of 3212	3136	Gmkbnp32.exe	87
PID 3136 wrote to memory of 3212	3136	Gmkbnp32.exe	87
PID 3136 wrote to memory of 3212	3136	Gmkbnp32.exe	87
PID 3212 wrote to memory of 4328	3212	Goiojk32.exe	88
PID 3212 wrote to memory of 4328	3212	Goiojk32.exe	88
PID 3212 wrote to memory of 4328	3212	Goiojk32.exe	88
PID 4328 wrote to memory of 1972	4328	Gfcgge32.exe	89
PID 4328 wrote to memory of 1972	4328	Gfcgge32.exe	89
PID 4328 wrote to memory of 1972	4328	Gfcgge32.exe	89
PID 1972 wrote to memory of 1368	1972	Giacca32.exe	90
PID 1972 wrote to memory of 1368	1972	Giacca32.exe	90
PID 1972 wrote to memory of 1368	1972	Giacca32.exe	90
PID 1368 wrote to memory of 1044	1368	Gqikdn32.exe	91
PID 1368 wrote to memory of 1044	1368	Gqikdn32.exe	91
PID 1368 wrote to memory of 1044	1368	Gqikdn32.exe	91
PID 1044 wrote to memory of 1372	1044	Gbjhlfhb.exe	92
PID 1044 wrote to memory of 1372	1044	Gbjhlfhb.exe	92
PID 1044 wrote to memory of 1372	1044	Gbjhlfhb.exe	92
PID 1372 wrote to memory of 1604	1372	Gidphq32.exe	93
PID 1372 wrote to memory of 1604	1372	Gidphq32.exe	93
PID 1372 wrote to memory of 1604	1372	Gidphq32.exe	93
PID 1604 wrote to memory of 3044	1604	Gqkhjn32.exe	94
PID 1604 wrote to memory of 3044	1604	Gqkhjn32.exe	94
PID 1604 wrote to memory of 3044	1604	Gqkhjn32.exe	94
PID 3044 wrote to memory of 4128	3044	Gbldaffp.exe	95
PID 3044 wrote to memory of 4128	3044	Gbldaffp.exe	95
PID 3044 wrote to memory of 4128	3044	Gbldaffp.exe	95
PID 4128 wrote to memory of 4728	4128	Gjclbc32.exe	96
PID 4128 wrote to memory of 4728	4128	Gjclbc32.exe	96
PID 4128 wrote to memory of 4728	4128	Gjclbc32.exe	96
PID 4728 wrote to memory of 4516	4728	Gmaioo32.exe	97
PID 4728 wrote to memory of 4516	4728	Gmaioo32.exe	97
PID 4728 wrote to memory of 4516	4728	Gmaioo32.exe	97
PID 4516 wrote to memory of 444	4516	Gppekj32.exe	98
PID 4516 wrote to memory of 444	4516	Gppekj32.exe	98
PID 4516 wrote to memory of 444	4516	Gppekj32.exe	98
PID 444 wrote to memory of 4332	444	Hfjmgdlf.exe	99
PID 444 wrote to memory of 4332	444	Hfjmgdlf.exe	99
PID 444 wrote to memory of 4332	444	Hfjmgdlf.exe	99
PID 4332 wrote to memory of 1672	4332	Hihicplj.exe	100
PID 4332 wrote to memory of 1672	4332	Hihicplj.exe	100
PID 4332 wrote to memory of 1672	4332	Hihicplj.exe	100
PID 1672 wrote to memory of 980	1672	Hapaemll.exe	101
PID 1672 wrote to memory of 980	1672	Hapaemll.exe	101
PID 1672 wrote to memory of 980	1672	Hapaemll.exe	101
PID 980 wrote to memory of 2020	980	Hpbaqj32.exe	103
PID 980 wrote to memory of 2020	980	Hpbaqj32.exe	103
PID 980 wrote to memory of 2020	980	Hpbaqj32.exe	103
PID 2020 wrote to memory of 4168	2020	Hfljmdjc.exe	104
PID 2020 wrote to memory of 4168	2020	Hfljmdjc.exe	104
PID 2020 wrote to memory of 4168	2020	Hfljmdjc.exe	104
PID 4168 wrote to memory of 8	4168	Hikfip32.exe	105

C:\Users\Admin\AppData\Local\Temp\52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52f9ce54560fe5bd461859acf405cefaedf0a9c26f36a910b28f5d10c6583a11_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\Gimjhafg.exe
  C:\Windows\system32\Gimjhafg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\Gqdbiofi.exe
    C:\Windows\system32\Gqdbiofi.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\SysWOW64\Gfqjafdq.exe
      C:\Windows\system32\Gfqjafdq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
      - C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        24⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        29⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        32⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        40⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        46⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        48⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        68⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        70⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1948
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        72⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        73⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        74⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        75⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        76⤵
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4024
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        78⤵
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        79⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        80⤵
        Modifies registry class
        
        PID:500
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        83⤵
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        85⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        86⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        89⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        90⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2324
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        92⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        94⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        97⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        105⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        109⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        111⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        112⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        113⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        116⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        126⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        127⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        128⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        129⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        130⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        131⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        132⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        133⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        134⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        135⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        137⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        138⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        141⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        142⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        143⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        144⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        145⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        146⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        147⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        148⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        151⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        152⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 420
        153⤵
        Program crash
        
        PID:6404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6220 -ip 6220
1⤵
PID:6316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadofijl.dll

Filesize
7KB

MD5
d19c076c01b15616431fec9acc745456

SHA1
5599109811e8aee1d2dc06164d1a1d08e88d10c5

SHA256
5068262fa61133476e4e86a6f742cd85a75ce58b7c3d2e5e7401b947313f6acc

SHA512
a19d509870c8babc9611a76f2031303119d23e306b5b680b1b9f31471411ea72eda077e2c991f445949679335cc3ed62d67636cc67dd039ab50642086b4d542a

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
96KB

MD5
89f6164c70d63faeebec2886147a6171

SHA1
6a07a1b5cca06bddf70b34e4d33592a877557c48

SHA256
ff696c18969a93b9e9d4c6d02eeedb9cbcf7effb9140474355ddc8baaf7ff8ec

SHA512
116deec008d160ce759904a47f7c007a0e35558074acfd90361acc018871d0b540131a51d3901cb7fde593f3321d13c6724fd63180b70db1bb0437c9913c964a

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
96KB

MD5
4681d5bc600c6221fa8f44c1619528c2

SHA1
02fe259ba70461f7bf3a4df63093f4ee2dcb09a0

SHA256
2e5b54535dfc1f287e31511d7a44b1cec279b01a327afef14489bbcb14f629cc

SHA512
fa9fe913efce3bf567efd51e2fea9d443c5d9929a1ba5d6aaee9ece6a0c482501309120240f4458bf063b1078df5e9201035ab172f03539929258d579f635598

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
96KB

MD5
2625f802e7861230dc52bc0b71da7cb7

SHA1
a328ca00f1e6423e53b6e1a5a50fe995f9d0e679

SHA256
420e75286cc2629123b0285a4954874cb3ca65a96cb39fcce92edcd3862813cc

SHA512
fbb73c73ec28867266ba47d8f203ac3b5114c6bf7aeb1cece948d992543ec94f650a4887d194d3f5e57d6e64f6454fa7b918c9693b8b95faca51e9c8c8186e72

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
96KB

MD5
3454c1f3b5f9823afdfbdc2ec2ba1bc1

SHA1
ee344e8df43f7b97fea48ff71102d81e3b8c9a40

SHA256
85ed124ec50efb913bec8bd80ae3db0ba93642f528d5decaf2c49462dae91b56

SHA512
54b7772246e60bd3ac57736b641163d18206a7283ccf3fa90a5d3c30289b63ee8fe5127ec87f17441a07930b65c492777ed5c0cec524aaac3edc841827650c4b

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
96KB

MD5
d24264181625433c7179ed3de2fca951

SHA1
35c3eb4bbf0be12f2eee7b1218141a64a47e7cb3

SHA256
dbb9752a1cd940e77d13e1e077097cddb111c731191981b61cf0d51a56889b0d

SHA512
f4b8d1d0616825a5bcf29fabbc4276c56e1fb301db0daedefe742ae2673cf9ccca560ecd6159eb07f3f503d4de4d462d3cb36be453c986e506c78c80b6419a8c

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
96KB

MD5
10fc943db777e2ea2d35538d2f7ce42f

SHA1
ee778ca3249ae6c5c04d0a9ef5a977b3edc97966

SHA256
f26f5ae97bc0fd958f2b123d2b58fe003da9ad33db1c1435b5ee44db1d090dd4

SHA512
b2845b0486c3ce94a8b4fbe2b29016fe7e9257964d5edd13873c78a7178e277dcb4493521e372551c22e6962b347244dda28a9351f45c764e781d332f6745da2

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
96KB

MD5
12f2961f17831ffecbdefdce41e9868c

SHA1
b8c681ec7b7d939799d096b9e833c7de95f796f1

SHA256
8a8365d4249da93b80ac0f387c94edee04f808565142c4f4e4dccd8190fe3dff

SHA512
068c3234fee187236c8b15c342ddb90887085a6cd9ae5d13b190089b93575645879a8603928ab21c85a96ad7eead97eadab9e3e236dcbdd35941ccea788d8d78

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
96KB

MD5
2e4488007ea5a3a0c60242ac8b01d810

SHA1
7d61daecea15d6d030947d17de7601ba188ae153

SHA256
c0576d1087228a53914bbb7bda25bdb3cca4a088940c4b6c61de2526cacc7cdc

SHA512
6464b9fa166874f37fd0ecd64176b0a00eb801e4544660720a37c0f84b202242ffe47d4350a67feac26465bdfec066bb7d175b2737e481712bf70c27795b2ea4

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
96KB

MD5
21be49203552573243bc3a4583188b5c

SHA1
eb89e3759443c7562c439861d2aae8d8902d49c5

SHA256
5cc3c9000c7b66eddb75cf0c2ae172d0a13e9d2874ccedf3f3f5902d74a2438a

SHA512
1f6ad69628b90ccb0eea082570fc63e0056dbc9e2791087876011b74ab4494ec62a0e2a54b1dc9fb30a8013918a4114a9ebcd546ba6d35947bd7e9318ba04d07

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
96KB

MD5
c0a89b434f10e13dcbeb4dc35838b76b

SHA1
0133b9c19be444684f35f1b7932e5bec516da73f

SHA256
2417e0c963b0c6cf59957ca3f7d6ceaa9e25cd7b3004109181463a42441f31ec

SHA512
27ddba362d3df38e84f44385779dd731d66389f130d00c756256789e082db3d9d7cde5944d4b9ca82d3070bbf5bb2af9847d40a622712181928817916d3c2001

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
96KB

MD5
47724856544ef52229f065b38e1c5cc6

SHA1
10caafc99c968a847b88ed49e6bb69798e327633

SHA256
1d35aa0a34fe65e4405ef9630d679ccf3c63ba1bbe6087c300bcd3fdd49a5aee

SHA512
218c08034e09b7dacb6018c8f8bcf6094f39aace59bcff73455366a5745dff0439b39f8c10ecba79521c3bab26c905f724da518e668985e24cc1e93ed92816d0

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
96KB

MD5
5ebea32e34c493f6770f1a44384e08b5

SHA1
5bdaaa7c47ebeafef26e971deab25d8cd0f85f8a

SHA256
6a78adc478bd8193508a56f862d35dfac82ac3fe6ed72a71b3a76e2502a8c46a

SHA512
97c59696499a2ff72be5ff32007b61c1d521accbdd50e28c2904952be13b228773d2c2ec82be059f0cb79224ecaebc2bbf006aad96cfa80e32ce922a3d045682

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
96KB

MD5
77096be118e38520d0191fb49d089234

SHA1
079398861ded213b2f27a1410e3decfa0fb35bd1

SHA256
470fd8842539c10cc97973dde5b581f355fda5596d35b54fa4827188ce413dc3

SHA512
5bd83ca6c95f596f8442be0c936efc23bdda15e143e06e62dfcc1bbf9b14e72e7b36e48590be8a442499fd871e0158cfde733c9ff7547fb60063ef636dccfbbc

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
96KB

MD5
805141dacf00544d330980c026e560aa

SHA1
cd1d2d56591086e9280d07935f02b007db8c4ea9

SHA256
147f3a48c99e19b40ab7a4f78885618dacfa9a52f490728f99365af51eafb867

SHA512
0e389a5e10db5579a43393cd6ad9f54cf0188af1a3d7af1f1f13407284a85f224908ddaf4134ddf578bea6da5f27e105b19c96640f21e585349365ade29a1ed3

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
96KB

MD5
821017c45b1d950d9b2528076dcc2e58

SHA1
a1bf56f665799dd6069126ee5b66df1ce4f90647

SHA256
62df8bddb533bfabcda5099c67bb6bd617b3d54f482bb44ebc4a33b81bde18a8

SHA512
9c6b5bfe130a8bcb3c0790c87bb96ad5f3008f4cce4540f370257fbe339ba61fb3ef7147c36a2bcc2853199377698aa03191b73b7d7fbfa2570ce51f9da27485

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
96KB

MD5
27fc6e9fe14d7f9cf352b6ff68c4b9cd

SHA1
531e237a4c0aac336381c382d2c50d8debac9ba2

SHA256
275688e28b68023bfd89125bd048b5a489552b92e4575cbbf5d2dfc6bcbcb4e9

SHA512
c767d89346054f620d03ca231dd80f8154c129f2ef85d4e923d96533e0a101315a2ecef9d6e7ccea5d87c966ed538155896fd00ac148a14c78afc9bd678804e6

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
96KB

MD5
8e060034345298d3f79315b7ac001f2f

SHA1
ec35911c151da2613fbb975e73d2bc8f7120473b

SHA256
6191ad049f1114f26e8457f932548cd1a9bb322e1b131f55efab0019fea9fe92

SHA512
6c9fca20e969bda00535b24dca6509955dc5f1c66e7803ca3f9a857efc7fc6ccdaf438952b1cbffe259eeda6d5a4c28d22e790566e76e70b6b1450bac9a668cf

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
96KB

MD5
d27c859aa3a08195c00ba09d50c97148

SHA1
69e57b7a1e42a327d4bd849df202c35f88a255ec

SHA256
f8ec6ab1e753a357dc00ade156f56f1e53afe67013072256143a19dbca53e14e

SHA512
0e2fa8637d4a8bd6d7a83d4336121fd0729feba55513893fbd7eb3f02fbea9d971358d06288a394512c4975e79f3da25d2e68768067e571acfc26be96400e3d3

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
96KB

MD5
65493a45de070da241ca1637ec291cbe

SHA1
87df20b7663a45336fc12082f1cabd4c9717940c

SHA256
61ea81b01b5299b7d7890ba7d96c85f1b467de6e372f7678a24aeebf2f9daf80

SHA512
2acff7f0709df1e9b76cf3578cff9ac778d9e5c14221065deaaf51944de3e41d6d5cf9b61f3f56d475f027d587f7a17840740550db6ca465c438c74709e46499

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
96KB

MD5
6e4ef6fba64d572ecb5a5276d158cfcf

SHA1
028b1da4a83f4dcd8ad2a222340391f780c6998a

SHA256
92ac616d7d5fefd8658535135992694da32a7a6a81f077281d95ba0fde2d3ea7

SHA512
2ae0e02a7daca62c53b610e87f8ccc3a4eca239d95de645cddf4ebe2ac7d20618961f81ebca4ac1e23e19ed3da4b5cfba0b94aa375a1d3ed8139b682a932933f

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
615c7c2b2ab84514b1546765b8b814b2

SHA1
8cc09214b9326300b4bf7e674b2f5a1ee5989e10

SHA256
fc922f91fe67a0bd160cd888041d728e7c631b14f3b5273b4df5222e40aee8e5

SHA512
6a4a51eda82c360fa85458b7303263d91224e746083a7efcfa9de97462429d4df2c82838b0a18b29123f60890ede5c3f4a511f3567db68ac97218ac7f90cd47c

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
3170d5bded9459103174a4e6532f13d6

SHA1
dcc318dee056cae6a94f4aed8d59da7c1349b4db

SHA256
f11cd763cef5720e15cf6dfd4f94934ebcda704b336525917b0be658b742feb5

SHA512
01f3e3d4db92c7a74d60def97dc0fd55795d79c61aaef8438b067eab0c9958d639e3df1e29f0de676ea46d738dedea61bf64aebd39914625cfb526319ac150d7

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
96KB

MD5
57bf03478c2eb344e3aad0a4c4f42b4e

SHA1
c1cc2f4a89dd9f6b41b13dbe137b4e82effdcf6b

SHA256
e49ae1607a283118708fd48a81f691c95094d0b216ff53c2e9f4e03c3d074ab8

SHA512
184b1e14efdbe12f8642ddb245c8a0aaccef5922ce9ccd2df0ea576918de03c569882a622aae268c42649a0b321bcae96c7cceb5de43102d53babe54fbd8a879

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
96KB

MD5
663f23ecdf6f6e0a56035ed24047ccc1

SHA1
7e99c07d30fa781e8a2c4c441c80848565630774

SHA256
ba72e782b1382e88f3e910dffe30f5c4f85dd1ea02c8e5aedba127fa0be27c5e

SHA512
62dab91285500711ed7f5d13b7efe2c9309a510c4d0944c7ad47d3d28fc66895f0b1abf6e85cdef5924563d9229bbd4fb1ed53a41acf537a1356cf9893281f45

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
96KB

MD5
5aed8ff8c5e1ebd71403005c14bd36f6

SHA1
4abefaa3df323967321f7f083b75ba3f526bc5de

SHA256
3aef876b5b8ebc6cb442d024f9e7f4f1f68aa7ec400110f9867d93dab63c0fb7

SHA512
7b8c7a7ecf581506bbb05466895c5615b07c9e468092974c0edc47a7fd63e1195ed1b42e7f9b234545b3b8bd25b2352c677883b955602e7a7aab8a2edc36daab

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
96KB

MD5
91c7d5208191739e3c1aeac0a4dc8f87

SHA1
4deec564ce8a021b765c87bfaa617aa900a52ed2

SHA256
7cd2595d6e94b5911648447691e7294cf82d95129ac778fc68e2896fc97406cb

SHA512
433c10556ca782d141f3253d22cf695155d4d2f10a84192cbcb6e69c9c06d18bb18a7cd90ba00d33fcc29b51bfed76898b2fbe4fcb0d4ccf09839a97a1bda8ef

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
96KB

MD5
3c7672a5cbe918dd6df1251ec2695a68

SHA1
f85932ebb588c8aa116dfa3cc15aa4e3f8852eff

SHA256
ab27b13cd33eca5c793db974902bab289e63e62aef3ba2619d92d2e8fc0ff859

SHA512
b5fd4ab25867efcb399e3edc699af4a5ad51d32b6e755934dc7d9340936eac8b1d9acf317b03fa97668ec0ff41f7b439a8406c80fa3736994a712a43e4861d6d

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
96KB

MD5
d95f5c8612b205b043917a83bf76b8f4

SHA1
4d88226f9c9ab33686875a9ecbcf7d9ea4df5763

SHA256
4306bccb5e814db4b1d7d52347e423b40e4ab4339f007dc99469830e84bab4e3

SHA512
5e380e53895625602cde6382334e1b07292d71689fa3bc9b5a764a28dae98e90ed4f1faf44749beea327d66a2b4507831849223cbb3b33e72bfc469990ab821f

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
96KB

MD5
88a961323298a511afc72e034412369e

SHA1
55a46776e05f6a28c7f494ed186a14b9e9891d94

SHA256
639acaf140335959e5ce95e7f4b7f92fa20ff3e9e260de80458499ed6e20e9bb

SHA512
3cd796ea2226ac96717b4ad587c0870e9623fa0479f9c9943887b96f4977282c885fbf98f4c3348966d78f8a566e4a511ff7622b8246a1cf9be33f2b017a6d40

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
96KB

MD5
967d152a1108bdaf25cd30537673afa4

SHA1
6a659f349c5e6ee92a60bcd9c883eaca3dd4948e

SHA256
ff3af1a118a0723b2385f231676339aec3a30b54c472cb5e7c530baf1d1df51b

SHA512
f2aea84f8956c0595d3eb90758e14d2786104883a572f942ff882a93eb3a70a833d3849fe5c0d35deedd5eff610515642491254fec63fa45d91abf6d009cca2d

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
96KB

MD5
b85746d316ef362b9c391447b72ade53

SHA1
cec108bfad925d0203836a9f24784021dc786568

SHA256
0b15dffc60803792c47aed831caf32345e5c8c576097fb21a670b5d35aa4c745

SHA512
c5df98b093a817787497f65c0ce83b86d6016d6ed0747ceabe83ec0e452dad87a97ae89a189672f5b2a66ce15a40a661d725f2766f9644e823428404e39708e8

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
96KB

MD5
b88487a04bbaa43a7002dab50ca93ff0

SHA1
b6908de42bb0a9336cf41707201b5563acbab9b2

SHA256
1e7b6d70f61a82cbe719d1b08b5a03256f5063e306aecdebdd5980dbb7cee020

SHA512
51f428512b98b9618832321b34001737fa58d5788c8dccddb7e05efb1a487387cd1fbebea91b5bf0ea0112d38eb814db2f4098af1d56eb88fd93f16f3b521266

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
96KB

MD5
e7ba2ee8e0da61524bcdd9daf236bddc

SHA1
bf7773a7471b5804491b225efc43f6c4b09f2e35

SHA256
857b27b6e8fa6b66e8b38d40eea92f0e423a79fa061e16ab2085a54d71f30fae

SHA512
a616476c314b543c05180257592ee057ded32850a606868b0cef3cf372599592ce49624977fa97391caa9d6ceb7b7ec967c5a2ebaecdbc504a0562dbab9fa8e2

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
96KB

MD5
26b730ab7de88cdd56268622a7ce5072

SHA1
2aad0d79d7a9ddc4893030fbee441f2c924aa250

SHA256
2a3937eeb7dab0f028d124dda5843d813ea87a291ebb06fc8e1db4132a874f51

SHA512
4ee006321dfcc1d3295e7845ffe7e814a1b95556a756206f840318395729e3ce53a9b71865903be5c88960c7925c203d774113877e5c87cb0b179b6be671b592

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
96KB

MD5
b5fde99a8d53c5ead1aca6d03d1388e1

SHA1
0748891501adb23dafc6f848e4f65f3c5fdd958b

SHA256
693c8537e856156d676a7da63106be1fecbdc48988926807d83322e9fa6f33fe

SHA512
df9a11c03c628f415be8adb4ea92c9c5e98894501b03d8da66212fea68c06a5835d7f500ba25043edd1c274c5e3bd1244a65e2cda232234769fb92aca30c82b0

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
96KB

MD5
cc65deba9a0b49384c92e4609033dddd

SHA1
cbab87a30784482b0627fd9412e457179c63c972

SHA256
58d0edd466a8e50786e54c94be19bc54feccdb8f66b3fe4559843ee233b4a413

SHA512
302930046d500e7cc3ccfb7c4c5e1b3d7538d26deda785e88c1e3c50d01b8acd659d0779e182a75b5b5e72c6c7478dd30beba25df93701b93b72f54ea4757426

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
96KB

MD5
a1509559577922c6e0c0710924db41d2

SHA1
b963411adf2562a6b018e02adfdadb308dee09fd

SHA256
55df7db68de84fca6ce0d174d3b26e97909c5f4b8c9af321d35f7eae3f975e98

SHA512
53758c2627d87f3d776f6964d45825343b518708c90b23a05d181b95d1f41b6ee1698513d2db74bbaa11f0d8f62211891e04fb64b765da40a90c9120fcb3d954

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
96KB

MD5
58b280cb40e36bf43c94517cfcb9c327

SHA1
0d4c68e9b9f3429bf68dd398c7916a58895b4faf

SHA256
c1bab921459494a4b01086ad75ca42cde5219c97e2f6209e42b0877f67d0c89a

SHA512
af4ff598c4ae4d34412b22cbf035fde134bc11766cc8e99ce4dcce64f85ec183381db80599303391be98618546a9c19863818ddcb747f8a3c17db8c4a4df07e5

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
96KB

MD5
6ef1d813e6e0e45773b245f594875523

SHA1
760eeacc95cc6e5f550a90ef78c4c968046ca2e2

SHA256
7164e91915bca2688fc189f9a24fc7f6382d9fbdbcc04985ef632f2fde161a8e

SHA512
3330e139d75f145bafbd6e821b15f95a690d57c9857bdff70d9053fc5d1191488c48ace122087d6da811fa3233d994b9b246a76b2dd7fe713a24cc27c64e01c9

Download Submit
memory/8-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/404-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/444-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/500-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/740-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-590-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1112-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1264-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1368-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1372-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1932-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1980-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2020-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-570-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-470-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2584-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3088-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3184-560-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3316-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3552-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3616-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3772-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3988-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4024-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4060-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4140-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4164-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4168-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4332-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4632-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4700-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4724-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4724-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4728-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4744-548-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4744-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4812-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5092-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads